OpenShift RBAC Explained¶

Introduction¶

RBAC decides which OpenShift users and service accounts can act on resources. oc auth can-i is the quickest safe test before changing RoleBindings.

Core Concepts¶

OpenShift builds on Kubernetes with projects, Routes, ImageStreams, Builds, Operators, SCCs, and integrated platform administration.

Practical Examples¶

oc auth can-i get pods -n app

oc auth can-i create routes -n app --as=developer

oc get rolebinding -n app

oc describe rolebinding edit-developer -n app

Example output:

yes
no

Example YAML¶

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: edit-developer
  namespace: app
subjects:
  - kind: User
    name: developer
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io

Verification¶

oc auth can-i get pods -n app --as=developer

oc get rolebinding -n app

oc describe rolebinding edit-developer -n app

Common Mistakes¶

• Granting cluster-admin for a namespace-scoped problem.
• Testing permissions as yourself instead of the affected service account.
• Forgetting that SCC use is also authorized through RBAC.

Quick Checklist¶

• Confirm the active project.
• Inspect the exact object named in the error.
• Read recent events.
• Apply one focused fix.
• Verify status after the change.

Related Guides¶

• Openshift Vs Kubernetes
• Openshift Cli oc Explained
• Openshift Projects Vs Namespaces

Summary¶

OpenShift RBAC Explained is best understood through the OpenShift objects involved and the oc commands that verify their current state.