Chapter 4. Authorization
4.1. Overview
This topic contains authorization tasks for application developers and their capabilities, as dictated by the cluster administrator.
4.2. Checking If Users Can Create Pods
Using the scc-review
and scc-subject-review
options, you can see if an individual user, or a user under a specific service account, can create or update a pod.
Using the scc-review
option, you can check if a service account can create or update a pod. The command outputs the security context constraints that admit the resource.
For example, to check if a user with the system:serviceaccount:projectname:default
service account can a create a pod:
$ oc policy scc-review -z system:serviceaccount:projectname:default -f my_resource.yaml
You can also use the scc-subject-review
option to check whether a specific user can create or update a pod:
$ oc policy scc-subject-review -u <username> -f my_resource.yaml
To check if a user belonging to a specific group can create a pod in a specific file:
$ oc policy scc-subject-review -u <username> -g <groupname> -f my_resource.yaml
4.3. Determining What You Can Do as an Authenticated User
From within your OpenShift Online project, you can determine what verbs you can perform against all namespace-scoped resources (including third-party resources).
The can-i
command option tests scopes in terms of the user and role.
$ oc policy can-i --list --loglevel=8
The output helps you to determine what API request to make to gather the information.
To receive information back in a user-readable format, run:
$ oc policy can-i --list
The output provides a full list.
To determine if you can perform specific verbs, run:
$ oc policy can-i <verb> <resource>
User scopes can provide more information about a given scope. For example:
$ oc policy can-i <verb> <resource> --scopes=user:info