Chapter 16. Impersonating the system:admin user
16.1. API impersonation
You can configure a request to the OpenShift Container Platform API to act as though it originated from another user. For more information, see User impersonation in the Kubernetes documentation.
16.2. Impersonating the system:admin user
You can grant a user permission to impersonate system:admin
, which grants them cluster administrator permissions.
Procedure
To grant a user permission to impersonate
system:admin
, run the following command:$ oc create clusterrolebinding <any_valid_name> --clusterrole=sudoer --user=<username>
TipYou can alternatively apply the following YAML to grant permission to impersonate
system:admin
:apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: <any_valid_name> roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: sudoer subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: <username>
16.3. Impersonating the system:admin group
When a system:admin
user is granted cluster administration permissions through a group, you must include the --as=<user> --as-group=<group1> --as-group=<group2>
parameters in the command to impersonate the associated groups.
Procedure
To grant a user permission to impersonate a
system:admin
by impersonating the associated cluster administration groups, run the following command:$ oc create clusterrolebinding <any_valid_name> --clusterrole=sudoer --as=<user> \ --as-group=<group1> --as-group=<group2>