Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 18. Impersonating the system:admin user

18.1. API impersonation
Copy link

You can configure a request to the OpenShift Container Platform API to act as though it originated from another user. For more information, see User impersonation in the Kubernetes documentation.

18.2. Impersonating the system:admin user
Copy link

You can use the OpenShift web console to impersonate a user and select multiple group memberships at the same time to reproduce that user’s effective permissions.

Procedure

  • To grant a user permission to impersonate system:admin, run the following command: 

    $ oc create clusterrolebinding <any_valid_name> --clusterrole=sudoer --user=<username>
    Copy to Clipboard Toggle word wrap
    Tip

    You can alternatively apply the following YAML to grant permission to impersonate system:admin: 

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: <any_valid_name>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: sudoer
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: <username>
    Copy to Clipboard Toggle word wrap

18.3. Impersonating the system:admin group
Copy link

When a system:admin user is granted cluster administration permissions through a group, you must include the --as=<user> --as-group=<group1> --as-group=<group2> parameters in the command to impersonate the associated groups.

Procedure

  • To grant a user permission to impersonate a system:admin by impersonating the associated cluster administration groups, run the following command: 

    $ oc create clusterrolebinding <any_valid_name> --clusterrole=sudoer --as=<user> \
--as-group=<group1> --as-group=<group2>
    Copy to Clipboard Toggle word wrap

You can start user impersonation from multiple locations in the OpenShift Container Platform Console. Depending on where you start, you can impersonate a single user, a single group, or a user with one or more group memberships.

Prerequisites

  • You must be logged in to the OpenShift Container Platform web console as a user with permission to impersonate other users.
  • The user or group that you want to impersonate must already exist.
Note

The impersonated user can belong to zero or more groups.

Procedure

  1. From the Overview page in the OpenShift Container Platform console, click your user name and select Impersonate User.
  2. In the Username field in the Impersonate dialog, enter the name of the user you want to impersonate.

  3. Optional: In the Groups field, choose one or more groups that are associated with the user.

    The dialog displays a warning message explaining that impersonation applies the effective permissions of the specified user and any selected groups.

  4. Click Impersonate to impersonate your selected user, groups, or both.
Note

Selecting one group uses the existing single-group impersonation behavior. Selecting no groups uses regular single-user impersonation.

You can start impersonation for users or groups from the Users or Groups pages in the OpenShift Container Platform Console.

Procedure

  1. From the Overview page in the OpenShift Container Platform console, click User Management Users.
  2. Open the menu for the user you want to impersonate and select Impersonate User.
  3. Optional: To impersonate a group, click User Management Groups, click the menu for that group, and select Impersonate Group.

18.6. Stopping impersonation
Copy link

You can stop impersonating a user or group at any time from the OpenShift Container Platform Console.

Procedure

  1. On any page in the OpenShift Container Platform console, click Stop impersonating at the top of the page.
  2. Alternatively, click your user name and select Stop impersonating.

As a cluster administrator, you can add unauthenticated users to the following cluster roles in OpenShift Container Platform by creating a cluster role binding. Unauthenticated users do not have access to non-public cluster roles. This should only be done in specific use cases when necessary.

You can add unauthenticated users to the following cluster roles:

  • system:scope-impersonation
  • system:webhook
  • system:oauth-token-deleter
  • self-access-reviewer
Important

Always verify compliance with your organization’s security standards when modifying unauthenticated access.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have installed the OpenShift CLI (oc).

Procedure

  1. Create a YAML file named add-<cluster_role>-unauth.yaml and add the following content: 

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
 annotations:
   rbac.authorization.kubernetes.io/autoupdate: "true"
 name: <cluster_role>access-unauthenticated
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: ClusterRole
 name: <cluster_role>
subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group
   name: system:unauthenticated
    Copy to Clipboard Toggle word wrap

  2. Apply the configuration by running the following command: 

    $ oc apply -f add-<cluster_role>.yaml
    Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top