OpenShift-角色管理

 oc get clusterrole.rbac

oc describe clusterrole cluster-admin
Name:           cluster-admin
Labels:         kubernetes.io/bootstrapping=rbac-defaults
Annotations:    authorization.openshift.io/system-only=true
                openshift.io/reconcile-protect=false
Verbs           Non-Resource URLs       Resource Names  API Groups      Resources
[*]             []                      []              [*]             [*]
[*]             [*]                     []              []              []

oc new-project demo
Now using project "demo" on server "https://xxxxxxxxxx:xxxx".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app centos/ruby-25-centos7~https://github.com/sclorg/ruby-ex.git

to build a new example application in Ruby.

oc status
In project demo on server https://xxxxxxxxxx:xxxx

You have no services, deployment configs, or build configs.
Run 'oc new-app' to create an application.

oc new-app https://github.com/openshift/ruby-hello-world.git#beta4

oc new-app /home/user/code/myapp --strategy=docker

oc new-app https://github.com/openshift/ruby-hello-world --name=myapp

# Add Role/ClusterRole to user
$ oc adm policy add-cluster-role-to-user/group cluster-role username/group
$ oc adm policy add-role-to-user/group role-name username/group -n <ns>
# Add "-z" for service accounts
$ oc policy add-role-to-user <role_name> -z <serviceaccount_name> -n <ns>
# Remove Role/ClusterRole from user
$ oc adm policy remove-cluster-role-from-user/group cluster-role username/group
$ oc adm policy remove-role-from-user/group role-name username/group -n <ns>
# Check Accessability to resource
$ oc adm policy who-can verb resource
# Check Accessability to resource
$ oc adm policy can-i verb resource --as=username --all-namespaces
# Create new role/clusterrole using oc command
$ oc create role <name> --verb=<verb1,verb2,verb3...> --resource=<resource> -n <ns>
$ oc create clusterrole <name> --verb=<verb1,verb2,verb3...> --resource=<resource>