Chapter 8. Managing Authorization Policies
8.1. Overview
You can use the CLI to view authorization policies and the administrator CLI to manage the roles and bindings within a policy.
8.2. Viewing Roles and Bindings
Roles grant various levels of access in the system-wide cluster policy as well as project-scoped local policies. Users and groups can be associated with, or bound to, multiple roles at the same time. You can view details about the roles and their bindings using the oc describe
command.
Users with the cluster-admindefault role in the cluster policy can view cluster policy and all local policies. Users with the admin default role in a given local policy can view that project-scoped policy.
Review a full list of verbs in the Evaluating Authorization section.
8.2.1. Viewing Cluster Policy
To view the cluster roles and their associated rule sets in the cluster policy:
$ oc describe clusterPolicy default
Example 8.1. Viewing Cluster Roles
$ oc describe clusterPolicy default Name: default Created: 5 days ago Labels: <none> Annotations: <none> Last Modified: 2016-03-17 13:25:27 -0400 EDT admin Verbs Non-Resource URLs Extension Resource Names API Groups Resources [create delete deletecollection get list patch update watch] [] [] [] [configmaps endpoints persistentvolumeclaims pods pods/attach pods/exec pods/log pods/portforward pods/proxy replicationcontrollers replicationcontrollers/scale secrets serviceaccounts services services/proxy] [create delete deletecollection get list patch update watch] [] [] [] [buildconfigs buildconfigs/instantiate buildconfigs/instantiatebinary buildconfigs/webhooks buildlogs builds builds/clone builds/custom builds/docker builds/log builds/source deploymentconfigrollbacks deploymentconfigs deploymentconfigs/log deploymentconfigs/scale deployments generatedeploymentconfigs imagestreamimages imagestreamimports imagestreammappings imagestreams imagestreams/secrets imagestreamtags localresourceaccessreviews localsubjectaccessreviews processedtemplates projects resourceaccessreviews rolebindings roles routes subjectaccessreviews templateconfigs templates] [create delete deletecollection get list patch update watch] [] [] [autoscaling] [horizontalpodautoscalers] [create delete deletecollection get list patch update watch] [] [] [batch] [jobs] [create delete deletecollection get list patch update watch] [] [] [extensions] [daemonsets horizontalpodautoscalers jobs replicationcontrollers/scale] [get list watch] [] [] [] [bindings configmaps endpoints events imagestreams/status limitranges minions namespaces namespaces/status nodes persistentvolumeclaims persistentvolumes pods pods/log pods/status policies policybindings replicationcontrollers replicationcontrollers/status resourcequotas resourcequotas/status resourcequotausages routes/status securitycontextconstraints serviceaccounts services] [get update] [] [] [] [imagestreams/layers] [update] [] [] [] [routes/status] basic-user Verbs Non-Resource URLs Extension Resource Names API Groups Resources [get] [] [~] [] [users] [list] [] [] [] [projectrequests] [get list] [] [] [] [clusterroles] [list] [] [] [] [projects] [create] [] IsPersonalSubjectAccessReview [] [] [localsubjectaccessreviews subjectaccessreviews] cluster-admin Verbs Non-Resource URLs Extension Resource Names API Groups Resources [*] [] [] [*] [*] [*] [*] [] [] [] cluster-reader Verbs Non-Resource URLs Extension Resource Names API Groups Resources [get list watch] [] [] [] [bindings buildconfigs buildconfigs/instantiate buildconfigs/instantiatebinary buildconfigs/webhooks buildlogs builds builds/clone builds/details builds/log clusternetworks clusterpolicies clusterpolicybindings clusterrolebindings clusterroles configmaps deploymentconfigrollbacks deploymentconfigs deploymentconfigs/log deploymentconfigs/scale deployments endpoints events generatedeploymentconfigs groups hostsubnets identities images imagestreamimages imagestreamimports imagestreammappings imagestreams imagestreams/status imagestreamtags limitranges localresourceaccessreviews localsubjectaccessreviews minions namespaces netnamespaces nodes oauthclientauthorizations oauthclients persistentvolumeclaims persistentvolumes pods pods/log policies policybindings processedtemplates projectrequests projects replicationcontrollers resourceaccessreviews resourcequotas resourcequotausages rolebindings roles routes routes/status securitycontextconstraints serviceaccounts services subjectaccessreviews templateconfigs templates useridentitymappings users] [get list watch] [] [] [autoscaling] [horizontalpodautoscalers] [get list watch] [] [] [batch] [jobs] [get list watch] [] [] [extensions] [daemonsets horizontalpodautoscalers jobs replicationcontrollers/scale] [create] [] [] [] [resourceaccessreviews subjectaccessreviews] [get] [] [] [] [nodes/metrics] [create get] [] [] [] [nodes/stats] [get] [*] [] [] [] cluster-status Verbs Non-Resource URLs Extension Resource Names API Groups Resources [get] [/api /api/* /apis /apis/* /healthz /healthz/* /oapi /oapi/* /osapi /osapi/ /version] [] [] [] edit Verbs Non-Resource URLs Extension Resource Names API Groups Resources [create delete deletecollection get list patch update watch] [] [] [] [configmaps endpoints persistentvolumeclaims pods pods/attach pods/exec pods/log pods/portforward pods/proxy replicationcontrollers replicationcontrollers/scale secrets serviceaccounts services services/proxy] [create delete deletecollection get list patch update watch] [] [] [] [buildconfigs buildconfigs/instantiate buildconfigs/instantiatebinary buildconfigs/webhooks buildlogs builds builds/clone builds/custom builds/docker builds/log builds/source deploymentconfigrollbacks deploymentconfigs deploymentconfigs/log deploymentconfigs/scale deployments generatedeploymentconfigs imagestreamimages imagestreamimports imagestreammappings imagestreams imagestreams/secrets imagestreamtags processedtemplates routes templateconfigs templates] [create delete deletecollection get list patch update watch] [] [] [autoscaling] [horizontalpodautoscalers] [create delete deletecollection get list patch update watch] [] [] [batch] [jobs] [create delete deletecollection get list patch update watch] [] [] [extensions] [daemonsets horizontalpodautoscalers jobs replicationcontrollers/scale] [get list watch] [] [] [] [bindings configmaps endpoints events imagestreams/status limitranges minions namespaces namespaces/status nodes persistentvolumeclaims persistentvolumes pods pods/log pods/status projects replicationcontrollers replicationcontrollers/status resourcequotas resourcequotas/status resourcequotausages routes/status securitycontextconstraints serviceaccounts services] [get update] [] [] [] [imagestreams/layers] registry-admin Verbs Non-Resource URLs Extension Resource Names API Groups Resources [create delete deletecollection get list patch update watch] [] [] [] [imagestreamimages imagestreamimports imagestreammappings imagestreams imagestreams/secrets imagestreamtags] [create delete deletecollection get list patch update watch] [] [] [] [localresourceaccessreviews localsubjectaccessreviews resourceaccessreviews rolebindings roles subjectaccessreviews] [get update] [] [] [] [imagestreams/layers] [get list watch] [] [] [] [policies policybindings] [get] [] [] [] [namespaces projects] registry-editor Verbs Non-Resource URLs Extension Resource Names API Groups Resources [get] [] [] [] [namespaces projects] [create delete deletecollection get list patch update watch] [] [] [] [imagestreamimages imagestreamimports imagestreammappings imagestreams imagestreams/secrets imagestreamtags] [get update] [] [] [] [imagestreams/layers] registry-viewer Verbs Non-Resource URLs Extension Resource Names API Groups Resources [get list watch] [] [] [] [imagestreamimages imagestreamimports imagestreammappings imagestreams imagestreamtags] [get] [] [] [] [imagestreams/layers namespaces projects] self-provisioner Verbs Non-Resource URLs Extension Resource Names API Groups Resources [create] [] [] [] [projectrequests] system:build-controller Verbs Non-Resource URLs Extension Resource Names API Groups Resources [get list watch] [] [] [] [builds] [update] [] [] [] [builds] [create] [] [] [] [builds/custom builds/docker builds/source] [get] [] [] [] [imagestreams] [create delete get list] [] [] [] [pods] [create patch update] [] [] [] [events] system:daemonset-controller Verbs Non-Resource URLs Extension Resource Names API Groups Resources [list watch] [] [] [extensions] [daemonsets] [list watch] [] [] [] [pods] [list watch] [] [] [] [nodes] [update] [] [] [extensions] [daemonsets/status] [create delete] [] [] [] [pods] [create] [] [] [] [pods/binding] [create patch update] [] [] [] [events] system:deployer Verbs Non-Resource URLs Extension Resource Names API Groups Resources [get list] [] [] [] [replicationcontrollers] [get update] [] [] [] [replicationcontrollers] [create get list watch] [] [] [] [pods] [get] [] [] [] [pods/log] [update] [] [] [] [imagestreamtags] system:deployment-controller Verbs Non-Resource URLs Extension Resource Names API Groups Resources [list watch] [] [] [] [replicationcontrollers] [get update] [] [] [] [replicationcontrollers] [create delete get list update] [] [] [] [pods] [create patch update] [] [] [] [events] system:discovery Verbs Non-Resource URLs Extension Resource Names API Groups Resources [get] [/api /api/* /apis /apis/* /oapi /oapi/* /osapi /osapi/ /version] [] [] [] system:hpa-controller Verbs Non-Resource URLs Extension Resource Names API Groups Resources [get list watch] [] [] [extensions autoscaling] [horizontalpodautoscalers] [update] [] [] [extensions autoscaling] [horizontalpodautoscalers/status] [get update] [] [] [extensions ] [replicationcontrollers/scale] [get update] [] [] [] [deploymentconfigs/scale] [create patch update] [] [] [] [events] [list] [] [] [] [pods] [proxy] [] [https:heapster:] [] [services] system:image-builder Verbs Non-Resource URLs Extension Resource Names API Groups Resources [get update] [] [] [] [imagestreams/layers] [update] [] [] [] [builds/details] system:image-pruner Verbs Non-Resource URLs Extension Resource Names API Groups Resources [delete] [] [] [] [images] [get list] [] [] [] [buildconfigs builds deploymentconfigs images imagestreams pods replicationcontrollers] [update] [] [] [] [imagestreams/status] system:image-puller Verbs Non-Resource URLs Extension Resource Names API Groups Resources [get] [] [] [] [imagestreams/layers] system:image-pusher Verbs Non-Resource URLs Extension Resource Names API Groups Resources [get update] [] [] [] [imagestreams/layers] system:job-controller Verbs Non-Resource URLs Extension Resource Names API Groups Resources [list watch] [] [] [extensions batch] [jobs] [update] [] [] [extensions batch] [jobs/status] [list watch] [] [] [] [pods] [create delete] [] [] [] [pods] [create patch update] [] [] [] [events] system:master Verbs Non-Resource URLs Extension Resource Names API Groups Resources [*] [] [] [*] [*] system:namespace-controller Verbs Non-Resource URLs Extension Resource Names API Groups Resources [delete get list watch] [] [] [] [namespaces] [update] [] [] [] [namespaces/finalize namespaces/status] [delete deletecollection get list] [] [] [*] [*] system:node Verbs Non-Resource URLs Extension Resource Names API Groups Resources [create] [] [] [] [localsubjectaccessreviews subjectaccessreviews] [get list watch] [] [] [] [services] [create get list watch] [] [] [] [nodes] [update] [] [] [] [nodes/status] [create patch update] [] [] [] [events] [get list watch] [] [] [] [pods] [create delete get] [] [] [] [pods] [update] [] [] [] [pods/status] [get] [] [] [] [configmaps secrets] [get] [] [] [] [persistentvolumeclaims persistentvolumes] [get] [] [] [] [endpoints] system:node-admin Verbs Non-Resource URLs Extension Resource Names API Groups Resources [get list watch] [] [] [] [nodes] [proxy] [] [] [] [nodes] [*] [] [] [] [nodes/log nodes/metrics nodes/proxy nodes/stats] system:node-proxier Verbs Non-Resource URLs Extension Resource Names API Groups Resources [list watch] [] [] [] [endpoints services] system:node-reader Verbs Non-Resource URLs Extension Resource Names API Groups Resources [get list watch] [] [] [] [nodes] [get] [] [] [] [nodes/metrics] [create get] [] [] [] [nodes/stats] system:oauth-token-deleter Verbs Non-Resource URLs Extension Resource Names API Groups Resources [delete] [] [] [] [oauthaccesstokens oauthauthorizetokens] system:pv-binder-controller Verbs Non-Resource URLs Extension Resource Names API Groups Resources [list watch] [] [] [] [persistentvolumes] [create delete get update] [] [] [] [persistentvolumes] [update] [] [] [] [persistentvolumes/status] [list watch] [] [] [] [persistentvolumeclaims] [get update] [] [] [] [persistentvolumeclaims] [update] [] [] [] [persistentvolumeclaims/status] system:pv-provisioner-controller Verbs Non-Resource URLs Extension Resource Names API Groups Resources [list watch] [] [] [] [persistentvolumes] [create delete get update] [] [] [] [persistentvolumes] [update] [] [] [] [persistentvolumes/status] [list watch] [] [] [] [persistentvolumeclaims] [get update] [] [] [] [persistentvolumeclaims] [update] [] [] [] [persistentvolumeclaims/status] system:pv-recycler-controller Verbs Non-Resource URLs Extension Resource Names API Groups Resources [list watch] [] [] [] [persistentvolumes] [create delete get update] [] [] [] [persistentvolumes] [update] [] [] [] [persistentvolumes/status] [list watch] [] [] [] [persistentvolumeclaims] [get update] [] [] [] [persistentvolumeclaims] [update] [] [] [] [persistentvolumeclaims/status] [list watch] [] [] [] [pods] [create delete get] [] [] [] [pods] [create patch update] [] [] [] [events] system:registry Verbs Non-Resource URLs Extension Resource Names API Groups Resources [delete get] [] [] [] [images] [get] [] [] [] [imagestreamimages imagestreams imagestreams/secrets imagestreamtags] [update] [] [] [] [imagestreams] [create] [] [] [] [imagestreammappings] [list] [] [] [] [resourcequotas] system:replication-controller Verbs Non-Resource URLs Extension Resource Names API Groups Resources [list watch] [] [] [] [replicationcontrollers] [get update] [] [] [] [replicationcontrollers] [update] [] [] [] [replicationcontrollers/status] [list watch] [] [] [] [pods] [create delete] [] [] [] [pods] [create patch update] [] [] [] [events] system:router Verbs Non-Resource URLs Extension Resource Names API Groups Resources [list watch] [] [] [] [endpoints routes] [update] [] [] [] [routes/status] system:sdn-manager Verbs Non-Resource URLs Extension Resource Names API Groups Resources [create delete get list watch] [] [] [] [hostsubnets] [create delete get list watch] [] [] [] [netnamespaces] [get list watch] [] [] [] [nodes] [create get] [] [] [] [clusternetworks] system:sdn-reader Verbs Non-Resource URLs Extension Resource Names API Groups Resources [get list watch] [] [] [] [hostsubnets] [get list watch] [] [] [] [netnamespaces] [get list watch] [] [] [] [nodes] [get] [] [] [] [clusternetworks] [get list watch] [] [] [] [namespaces] system:webhook Verbs Non-Resource URLs Extension Resource Names API Groups Resources [create get] [] [] [] [buildconfigs/webhooks] view Verbs Non-Resource URLs Extension Resource Names API Groups Resources [get list watch] [] [] [] [bindings buildconfigs buildconfigs/instantiate buildconfigs/instantiatebinary buildconfigs/webhooks buildlogs builds builds/clone builds/log configmaps deploymentconfigrollbacks deploymentconfigs deploymentconfigs/log deploymentconfigs/scale deployments endpoints events generatedeploymentconfigs imagestreamimages imagestreamimports imagestreammappings imagestreams imagestreams/status imagestreamtags limitranges minions namespaces namespaces/status nodes persistentvolumeclaims persistentvolumes pods pods/log pods/status processedtemplates projects replicationcontrollers replicationcontrollers/status resourcequotas resourcequotas/status resourcequotausages routes routes/status securitycontextconstraints serviceaccounts services templateconfigs templates] [get list watch] [] [] [autoscaling] [horizontalpodautoscalers] [get list watch] [] [] [batch] [jobs] [get list watch] [] [] [extensions] [daemonsets horizontalpodautoscalers jobs]
To view the current set of cluster bindings, which shows the users and groups that are bound to various roles:
$ oc describe clusterPolicyBindings :default
Example 8.2. Viewing Cluster Bindings
$ oc describe clusterPolicyBindings :default Name: :default Created: 4 hours ago Labels: <none> Last Modified: 2015-06-10 17:22:26 +0000 UTC Policy: <none> RoleBinding[basic-users]: Role: basic-user Users: [] Groups: [system:authenticated] RoleBinding[cluster-admins]: Role: cluster-admin Users: [] Groups: [system:cluster-admins] RoleBinding[cluster-readers]: Role: cluster-reader Users: [] Groups: [system:cluster-readers] RoleBinding[cluster-status-binding]: Role: cluster-status Users: [] Groups: [system:authenticated system:unauthenticated] RoleBinding[self-provisioners]: Role: self-provisioner Users: [] Groups: [system:authenticated] RoleBinding[system:build-controller]: Role: system:build-controller Users: [system:serviceaccount:openshift-infra:build-controller] Groups: [] RoleBinding[system:deployment-controller]: Role: system:deployment-controller Users: [system:serviceaccount:openshift-infra:deployment-controller] Groups: [] RoleBinding[system:masters]: Role: system:master Users: [] Groups: [system:masters] RoleBinding[system:node-proxiers]: Role: system:node-proxier Users: [] Groups: [system:nodes] RoleBinding[system:nodes]: Role: system:node Users: [] Groups: [system:nodes] RoleBinding[system:oauth-token-deleters]: Role: system:oauth-token-deleter Users: [] Groups: [system:authenticated system:unauthenticated] RoleBinding[system:registrys]: Role: system:registry Users: [] Groups: [system:registries] RoleBinding[system:replication-controller]: Role: system:replication-controller Users: [system:serviceaccount:openshift-infra:replication-controller] Groups: [] RoleBinding[system:routers]: Role: system:router Users: [] Groups: [system:routers] RoleBinding[system:sdn-readers]: Role: system:sdn-reader Users: [] Groups: [system:nodes] RoleBinding[system:webhooks]: Role: system:webhook Users: [] Groups: [system:authenticated system:unauthenticated]
8.2.2. Viewing Local Policy
While the list of local roles and their associated rule sets are not viewable within a local policy, all of the default roles are still applicable and can be added to users or groups, other than the cluster-admin default role. The local bindings, however, are viewable.
To view the current set of local bindings, which shows the users and groups that are bound to various roles:
$ oc describe policyBindings :default
By default, the current project is used when viewing local policy. Alternatively, a project can be specified with the -n
flag. This is useful for viewing the local policy of another project, if the user already has the admindefault role in it.
Example 8.3. Viewing Local Bindings
$ oc describe policyBindings :default -n joe-project Name: :default Created: About a minute ago Labels: <none> Last Modified: 2015-06-10 21:55:06 +0000 UTC Policy: <none> RoleBinding[admins]: Role: admin Users: [joe] Groups: [] RoleBinding[system:deployers]: Role: system:deployer Users: [system:serviceaccount:joe-project:deployer] Groups: [] RoleBinding[system:image-builders]: Role: system:image-builder Users: [system:serviceaccount:joe-project:builder] Groups: [] RoleBinding[system:image-pullers]: Role: system:image-puller Users: [] Groups: [system:serviceaccounts:joe-project]
By default in a local policy, only the binding for the admin role is immediately listed. However, if other default roles are added to users and groups within a local policy, they become listed as well.
8.3. Managing Role Bindings
Adding, or binding, a role to users or groups gives the user or group the relevant access granted by the role. You can add and remove roles to and from users and groups using oc adm policy
commands.
When managing a user or group’s associated roles for a local policy using the following operations, a project may be specified with the -n
flag. If it is not specified, then the current project is used.
Command | Description |
---|---|
| Indicates which users can perform an action on a resource. |
| Binds a given role to specified users in the current project. |
| Removes a given role from specified users in the current project. |
| Removes specified users and all of their roles in the current project. |
| Binds a given role to specified groups in the current project. |
| Removes a given role from specified groups in the current project. |
| Removes specified groups and all of their roles in the current project. |
You can also manage role bindings for the cluster policy using the following operations. The -n
flag is not used for these operations because the cluster policy uses non-namespaced resources.
Command | Description |
---|---|
| Binds a given role to specified users for all projects in the cluster. |
| Removes a given role from specified users for all projects in the cluster. |
| Binds a given role to specified groups for all projects in the cluster. |
| Removes a given role from specified groups for all projects in the cluster. |
For example, you can add the admin role to the alice user in joe-project by running:
$ oc adm policy add-role-to-user admin alice -n joe-project
You can then view the local bindings and verify the addition in the output:
$ oc describe policyBindings :default -n joe-project
Name: :default
Created: 5 minutes ago
Labels: <none>
Last Modified: 2015-06-10 22:00:44 +0000 UTC
Policy: <none>
RoleBinding[admins]:
Role: admin
Users: [alice joe] 1
Groups: []
RoleBinding[system:deployers]:
Role: system:deployer
Users: [system:serviceaccount:joe-project:deployer]
Groups: []
RoleBinding[system:image-builders]:
Role: system:image-builder
Users: [system:serviceaccount:joe-project:builder]
Groups: []
RoleBinding[system:image-pullers]:
Role: system:image-puller
Users: []
Groups: [system:serviceaccounts:joe-project]
- 1
- The alice user has been added to the admins
RoleBinding
.
8.4. Granting Users Daemonset Permissions
By default, project developers do not have the permission to create daemonsets. As a cluster administrator, you can grant them the abilities.
Define a ClusterRole file:
apiVersion: v1 kind: ClusterRole metadata: name: daemonset-admin rules: - resources: - daemonsets apiGroups: - extensions verbs: - create - get - list - watch - delete - update
Create the role:
$ oc adm policy add-role-to-user daemonset-admin <user>
8.5. Creating a Local Role
To create a local role for a project, you can either copy and modify an existing role or build a new role from scratch. It is recommended that you build it from scratch so that you understand each of the permissions assigned.
To copy the cluster role view to use as a local role, run:
$ oc get clusterrole view -o yaml > clusterrole_view.yaml $ cp clusterrole_view.yaml localrole_exampleview.yaml $ vim localrole_exampleview.yaml # 1. Update kind: ClusterRole to kind: Role # 2. Update name: view to name: exampleview # 3. Remove resourceVersion, selfLink, uid, and creationTimestamp $ oc create -f path/to/localrole_exampleview.yaml -n <project_you_want_to_add_the_local_role_exampleview_to>
To create a new role from scratch, save this snippet into the file role_exampleview.yaml:
Example Role Named exampleview
apiVersion: v1 kind: Role metadata: name: exampleview rules: - apiGroups: null attributeRestrictions: null resources: - pods - builds verbs: - get - list - watch
Then, to add the role to your project, run:
$ oc project <project_you_want_to_add_the_local_role_exampleview_to>
Optionally, annotate it with a description.
Save the following role binding in the policybinding.yaml file:
apiVersion: v1 kind: PolicyBinding metadata: name: <string> policyRef: name: <role-name> namespace: <project-name> roleBindings: null
To create the PolicyBinding, run:
$ oc create -f policybinding.yaml -n <project-name>
To create the role, run:
$ oc create -f localrole_exampleview.yaml -n <project-name>
To use the new role, run:
$ oadm policy add-role-to-user customview <new-user> --role-namespace=<project-name>
A clusterrolebinding
is a role binding that exists at the cluster level. A rolebinding
exists at the project level. This can be confusing. The clusterrolebinding
view must be assigned to a user within a project for that user to view the project. Local roles are only created if a cluster role does not provide the set of permissions needed for a particular situation, which is unlikely.
Some cluster role names are initially confusing. The clusterrole
clusteradmin
can be assigned to a user within a project, making it appear that this user has the privileges of a cluster administrator. This is not the case. The clusteradmin
cluster role bound to a certain project is more like a super administrator for that project, granting the permissions of the cluster role admin
, plus a few additional permissions like the ability to edit rate limits. This can appear especially confusing via the web console UI, which does not list cluster policy (where cluster administrators exist). However, it does list local policy (where a locally bound clusteradmin
may exist).
Within a project, project administrators should be able to see rolebindings
, not clusterrolebindings
.