集群级别Role(Cluster Role)
oc get clusterrole.rbac
oc describe clusterrole cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: authorization.openshift.io/system-only=true
openshift.io/reconcile-protect=false
Verbs Non-Resource URLs Resource Names API Groups Resources
[*] [] [] [*] [*]
[*] [*] [] [] []
oc new-project demo
Now using project "demo" on server "https://xxxxxxxxxx:xxxx".
You can add applications to this project with the 'new-app' command. For example, try:
oc new-app centos/ruby-25-centos7~https://github.com/sclorg/ruby-ex.git
to build a new example application in Ruby.
oc status
In project demo on server https://xxxxxxxxxx:xxxx
You have no services, deployment configs, or build configs.
Run 'oc new-app' to create an application.
oc new-app https://github.com/openshift/ruby-hello-world.git#beta4
oc new-app /home/user/code/myapp --strategy=docker
oc new-app https://github.com/openshift/ruby-hello-world --name=myapp
# Add Role/ClusterRole to user
$ oc adm policy add-cluster-role-to-user/group cluster-role username/group
$ oc adm policy add-role-to-user/group role-name username/group -n <ns>
# Add "-z" for service accounts
$ oc policy add-role-to-user <role_name> -z <serviceaccount_name> -n <ns>
# Remove Role/ClusterRole from user
$ oc adm policy remove-cluster-role-from-user/group cluster-role username/group
$ oc adm policy remove-role-from-user/group role-name username/group -n <ns>
# Check Accessability to resource
$ oc adm policy who-can verb resource
# Check Accessability to resource
$ oc adm policy can-i verb resource --as=username --all-namespaces
# Create new role/clusterrole using oc command
$ oc create role <name> --verb=<verb1,verb2,verb3...> --resource=<resource> -n <ns>
$ oc create clusterrole <name> --verb=<verb1,verb2,verb3...> --resource=<resource>