Skip to content

OpenShift Group Management

In the Red Hat OpenShift Documentation, there are instructions on how to configure a specific list of RHODS Administrators and RHODS Users.

However, if the list of users keeps changing, the membership of the groupd called rhods-users will have to be updated frequently. By default, in OpenShift, only OpenShift admins can edit group membership. Being a RHODS Admin does not confer you those admin privileges, and so, it would fall to the OpenShift admin to administer that list.

The instructions in this page will show how the OpenShift Admin can create these groups in such a way that any member of the group rhods-admins can edit the users listed in the group rhods-users. These makes the RHODS Admins more self-sufficient, without giving them unneeded access.

For expediency in the instructions, we are using the oc cli, but these can also be achieved using the OpenShift Web Console. We will assume that the user setting this up has admin privileges to the cluster.

Creating the groups

Here, we will create the groups mentioned above. Note that you can alter those names if you want, but will then need to have the same alterations throughout the instructions.

  1. To create the groups:
    oc adm groups new rhods-users
    oc adm groups new rhods-admins
    
  2. The above may complain about the group(s) already existing.
  3. To confirm both groups exist:
    oc get groups | grep rhods
    
  4. That should return:
    bash-4.4 ~ $ oc get groups | grep rhods
    rhods-admins
    rhods-users
    
  5. Both groups now exist

Creating ClusterRole and ClusterRoleBinding

  1. This will create a Cluster Role and a Cluster Role Binding:
    oc apply -f - <<EOF
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: update-rhods-users
    rules:
      - apiGroups: ["user.openshift.io"]
        resources: ["groups"]
        resourceNames: ["rhods-users"]
        verbs: ["update", "patch", "get"]
    ---
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: rhods-admin-can-update-rhods-users
    subjects:
      - kind: Group
        apiGroup: rbac.authorization.k8s.io
        name: rhods-admins
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: update-rhods-users
    EOF
    
  2. To confirm they were both succesfully created, run:
    oc get ClusterRole,ClusterRoleBinding  | grep 'update\-rhods'
    
  3. You should see:
    bash-4.4 ~ $ oc get ClusterRole,ClusterRoleBinding  | grep 'update\-rhods'
    clusterrole.rbac.authorization.k8s.io/update-rhods-users
    clusterrolebinding.rbac.authorization.k8s.io/rhods-admin-can-update-rhods-users
    
  4. You are pretty much done. You now just need to validate things worked.

Add some users as rhods-admins

To confirm this works, add a user to the rhods-admin group. In my example, I'll add user1

Capture the URL needed to edit the rhods-users group

Since people who are not cluster admin won't be able to browse the list of groups, capture the URL that allows to control the membership of rhods-users.

It should look similar to:

https://console-openshift-console.apps.<thecluster>/k8s/cluster/user.openshift.io~v1~Group/rhods-users

Ensure that rhods-admins are now able to edit rhods-users

Ask someone in the rhods-admins group to confirm that it works for them. (Remember to provide them with the URL to do so).

They should be able to do so and successfully save their changes, as shown below: