Open wangglbj opened 2 years ago
The admin role gives a user access to project resources such as quotas and limit ranges, and also the ability to create new applications. The edit role gives a user sufficient access to act as a developer inside the project, but working under the constraints configured by a project administrator.
Project administrators can use the oc policy command to add and remove namespace roles. Add a specified role to a user with the add-role-to-user subcommand. For example: [user@host ~]$ oc policy add-role-to-user role-name username -n project
For example, to add the user dev to the role basic-user in the cpd-instance project: [user@host ~]$ oc policy add-role-to-user basic-user dev -n cpd-instance User Types
Interaction with OpenShift Container Platform is associated with a user. An OpenShift Container Platform user object represents a user who can be granted permissions in the system by adding roles to that user or to a user's group via rolebindings.
Regular users
Most interactive OpenShift Container Platform users are regular users, represented with the User object. This type of user represents a person that has been allowed access to the platform. Examples of regular users include user1 and user2.
System users
Many system users are created automatically when the infrastructure is defined, mainly for the purpose of enabling the infrastructure to securely interact with the API. System users include a cluster administrator (with access to everything), a per-node user, users for routers and registries, and various others. An anonymous system user is used by default for unauthenticated requests. Examples of system users include: system:admin, system:openshift-registry, and system:node:node1.example.com.
Service accounts
These are special system users associated with projects. Some service account users are created automatically when the project is first created. Project administrators can create more for the purpose of defining access to the contents of each project. Service accounts are often used to give extra privileges to pods or deployments. Service accounts are represented with the ServiceAccount object. Examples of service account users include system:serviceaccount:default:deployer and system:serviceaccount:foo:builder.
Every user must authenticate before they can access OpenShift Container Platform. API requests with no authentication or invalid authentication are authenticated as requests by the anonymous system user. After successful authentication, policy determines what the user is authorized to do.
References
For more information about Kubernetes namespaces refer to the Kubernetes Documentation
For more information about RBAC, refer to the Using RBAC to define and apply permissions chapter in the Red Hat OpenShift Container Platform 4.6 Authentication and authorization documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html-single/authentication_and_authorization/index#using-rbac
For more information about groups, refer to the Understanding authentication chapter in the Red Hat OpenShift Container Platform 4.6 Authentication and authorization documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html-single/authentication_and_authorization/index#understanding-authentication
Defining and Applying Permissions using RBAC Role-based Access Control (RBAC) Role-based access control (RBAC) is a technique for managing access to resources in a computer system. In Red Hat OpenShift, RBAC determines if a user can perform certain actions within the cluster or project. There are two types of roles that can be used depending on the user's level of responsibility: cluster and local.
Note: Authorization is a separate step from authentication.
Authorization Process
The authorization process is managed by rules, roles, and bindings.
Default Roles
OpenShift ships with a set of default cluster roles that can be assigned locally or to the entire cluster. You can modify these roles for fine-grained access control to OpenShift resources, but additional steps are required that are outside the scope of this course.