Chapter 5. Configuring access to clusters in OpenShift Cluster Manager

OpenShift Cluster Manager allows you to view and manage the OpenShift clusters in your organization from one dashboard.

Viewing and editing access to clusters in OpenShift Cluster Manager is controlled by your Red Hat account configuration (generally by organization) and by role bindings configured in OpenShift Cluster Manager.

Your role in your organization, as well as the roles you have been assigned on a cluster, determine how you can manage a cluster, for example:

  • Viewing the list of clusters in your organization, including your cluster and clusters created by other users
  • Viewing a cluster’s details, such as the cluster overview, subscription settings, history, and Cluster Owner
  • Editing a cluster’s details, such as subscription settings, cluster display name, machine pools, and add-on services

Any user with a Red Hat login has permission to create a cluster from OpenShift Cluster Manager. However, your organization must have sufficient subscriptions or quota, depending on the type of OpenShift cluster you are creating, to allow you to create a cluster. See Cluster subscriptions and registration for more information about subscriptions and quota for clusters.

When you create a cluster, you are assigned the Cluster Owner role on that cluster.

Note

For greater security, you can use two-factor authentication (2FA) to access OpenShift Cluster Manager and the Red Hat Hybrid Cloud Console. To learn more about configuring two-factor authentication, see Using OpenShift Cluster Manager with the Red Hat Hybrid Cloud Console and the Using Two-Factor Authentication guide.

5.1. User access concepts in OpenShift Cluster Manager

Organization

An organization is defined in your Red Hat account. An organization can have many users, who each have a login to access Red Hat resources such as the Red Hat Hybrid Cloud Console and the Red Hat Customer Portal.

In OpenShift Cluster Manager, users can view all clusters created within their organization by default.

Organization Administrator

Each organization has one or more Organization Administrator users.

This is the highest permission level in an organization, and the only role that can manage user access and permissions within a Red Hat account. Organization Administrators can access and edit any cluster in the organization, as well as configure user roles on clusters in OpenShift Cluster Manager.

For more information about Red Hat account roles, see Roles and Permissions for Red Hat Customer Portal and How To Create and Manage Users.

Cluster Owner

The user that creates an OpenShift cluster is the Cluster Owner. This user can perform any action on the cluster and view all details about the cluster in OpenShift Cluster Manager.

Cluster Owners can allow other users in the same organization to manage and perform actions on their cluster by granting them the Cluster Editor role.

Organization Administrators have the same access to clusters as Cluster Owners.

You can also become the Cluster Owner on an existing cluster when another user transfers a cluster’s ownership to you. See Transferring cluster ownership for more information.

Cluster Editor

The Cluster Editor role allows you to edit, manage, and delete that cluster, similar to Cluster Owner. The one exception is that a Cluster Editor cannot grant roles on a cluster to other users. Only a Cluster Owner or an Organization Administrator in the Red Hat account can configure role bindings on clusters.

5.2. Configuring user access to clusters in OpenShift Cluster Manager

5.2.1. Viewing user roles and access on a cluster

You can view a list of users with assigned roles on a cluster from the OCM Roles and Access screen.

If you are an Organization Administrator in the Red Hat account or the Cluster Owner, you can also edit the users and their access to the cluster from this screen. Other users can only view information about users and roles on a cluster.

Prerequisites

  • A Red Hat login
  • An existing OpenShift cluster in your organization

Procedure

  1. Select your cluster from the Clusters list.
  2. Click Access Control > OCM Roles and Access to see a list of users with assigned roles to access the cluster.

5.2.2. Granting user roles for cluster access

After you create an OpenShift cluster, you can grant access to other users on your cluster. This enables members of your team to manage or view the cluster without being an Organization Administrator in the Red Hat account.

Prerequisites

  • A Red Hat login
  • An existing OpenShift cluster
  • You must be the Cluster Owner on the cluster, or Organization Administrator in your Red Hat account
  • The user you want to grant access to must be in your organization

Procedure

To grant a role to a user in your organization:

  1. Select your cluster from the Clusters list.
  2. Click Access Control > OCM Roles and Access.
  3. Click Grant role.
  4. Enter the Red Hat login for the user.
  5. Select the role you want (for example, Cluster Viewer) from the list.
  6. Click Grant role to confirm the role assignment.

Verification

The user is listed on the OCM Roles and Access screen with the role assigned.

5.2.3. Revoking user roles for clusters

You can revoke a user’s cluster permissions if you are the Cluster Owner or Organization Administrator.

Prerequisites

  • A Red Hat login
  • An existing OpenShift cluster
  • You must be the Cluster Owner on the cluster, or Organization Administrator in your Red Hat account
  • A user in your organization with access to the cluster

Procedure

To revoke access from a user:

  1. Select your cluster from the Clusters list.
  2. Click Access Control > OCM Roles and Access.
  3. Click more options (more options) next to the user on the list, then Delete.
  4. Click Confirm.

Verification

The user is not displayed in the users list in OCM Roles and Access.

5.2.4. Using role-based access control to assign users and groups

You can use role-based access control (RBAC) to create and manage groups of users. Assigning roles to groups allows you to manage access for users as a group. Roles assigned using RBAC apply to all clusters within your organization rather than a specific cluster. RBAC is available in the Identity & Access Management menu in the Settings gear of the Red Hat Hybrid Cloud Console.

Note

Only organization administrators can manage and assign roles to groups using role-based access control (RBAC).

Organization administrators can change the default access permissions for the users within their organization. Role-based access control defaults to two groups. The default member group has all users within the organization as members. The default admin group has all users with the organization administrator role as members.

OCM access policies are explicitly assigned through role assignments to these default groups. In this way, the existing RBAC policies are no longer explicit and customers can modify them. Organization administrators are able to remove the role assignments from the default groups to remove default permissions from all users. They can then assign these roles selectively to specific users or groups to manage the permissions for users within their organization.

Important

Removing all OCM roles from the default groups results in users losing the ability to view and provision clusters. It is recommended to set up groups of users and assign specific roles to these groups before revoking access from the default groups.

A scope governs the level that the role is applied or granted to a user or a group. There are two scopes used within OCM, cluster scope and organization scope. Roles can be granted to a user or a group at either a cluster scope or at the organization scope.

A role granted at the cluster scope enables the user the ability to take the allowed action (as specified by the permissions included within the role) for the specific cluster that the role is being granted for. Essentially, cluster scoped role assignments are for a specific cluster.

A role granted at the organization scope enables the user the ability to take the allowed action (as specified by the permissions included within the role) for all clusters within the organization. Essentially, organization scoped role assignments are cross-cluster and apply to all clusters within the organization.

Users can create and manage groups and group membership for users within the organization through the RBAC service within the Red Hat Hybrid Cloud Console.

Users can assign a role to a group by using RBAC. Any role assigned with RBAC is at the organization level and applies to all clusters within the organization.

Users can assign a role to a user in OCM for a particular cluster. They do this from within the context of a particular cluster and this role assignment is at the cluster scope.

For more information about using RBAC within Red Hat Hybrid Cloud Console, read User Access Configuration Guide for Role-based Access Control (RBAC).

5.2.4.1. Using RBAC to assign roles and users to groups

When adding roles to created groups, you can add OCM-specific roles. Use these OCM-specific roles to give users or groups in your organization more precise access to clusters. When adding roles inside your group, use the search box and type "OCM" to find all the OCM-specific roles you can add.

The roles you can add are:

  • Cluster viewer: This role allows a user to view a cluster.
  • Cluster provisioner: This role allows a user to provision a cluster.
  • Cluster editor: This role allows a user to manage and delete a cluster.
  • Organization administrator: This role allows a user to perform all tasks within OCM for all clusters. Users are granted organization administrator permissions only within the OCM service and this does not apply to any other Red Hat service.
  • IdP editor: This role allows a user to manage identity providers for a cluster.
  • Machine pool editor: This role allows a user to create, scale, and delete machine pools within a cluster.

For more detailed information about the process of adding roles to created groups, read Managing group access with roles and members.