Menu Close
Settings Close

Language and Page Formatting Options

Chapter 5. Configuring access to clusters in OpenShift Cluster Manager

OpenShift Cluster Manager allows you to view and manage the OpenShift clusters in your organization from one dashboard.

Viewing and editing access to clusters in OpenShift Cluster Manager is controlled by your Red Hat account configuration (generally by organization) and by role bindings configured in OpenShift Cluster Manager.

Your role in your organization, as well as the roles you have been assigned on a cluster, determine how you can manage a cluster, for example:

  • Viewing the list of clusters in your organization, including your cluster and clusters created by other users
  • Viewing a cluster’s details, such as the cluster overview, subscription settings, history, and Cluster Owner
  • Editing a cluster’s details, such as subscription settings, cluster display name, machine pools, and add-on services

Any user with a Red Hat login has permission to create a cluster from OpenShift Cluster Manager. However, your organization must have sufficient subscriptions or quota, depending on the type of OpenShift cluster you are creating, to allow you to create a cluster. See Cluster subscriptions and registration for more information about subscriptions and quota for clusters.

When you create a cluster, you are assigned the Cluster Owner role on that cluster.

Note

For greater security, you can use two-factor authentication (2FA) to access OpenShift Cluster Manager and the Red Hat Hybrid Cloud Console. To learn more about configuring two-factor authentication, see Using OpenShift Cluster Manager with the Red Hat Hybrid Cloud Console and the Using Two-Factor Authentication guide.

5.1. User access concepts in OpenShift Cluster Manager

Organization

An organization is defined in your Red Hat account. An organization can have many users, who each have a login to access Red Hat resources such as the Red Hat Hybrid Cloud Console and the Red Hat Customer Portal.

In OpenShift Cluster Manager, users can view all clusters created within their organization by default.

Organization Administrator

Each organization has one or more Organization Administrator users.

This is the highest permission level in an organization, and the only role that can manage user access and permissions within a Red Hat account. Organization Administrators can access and edit any cluster in the organization, as well as configure user roles on clusters in OpenShift Cluster Manager.

For more information about Red Hat account roles, see Roles and Permissions for Red Hat Customer Portal and How To Create and Manage Users.

Cluster Owner

The user that creates an OpenShift cluster is the Cluster Owner. This user can perform any action on the cluster and view all details about the cluster in OpenShift Cluster Manager.

Cluster Owners can allow other users in the same organization to manage and perform actions on their cluster by granting them the Cluster Editor role.

Organization Administrators have the same access to clusters as Cluster Owners.

You can also become the Cluster Owner on an existing cluster when another user transfers a cluster’s ownership to you. See Transferring cluster ownership for more information.

Cluster Editor

The Cluster Editor role allows you to edit, manage, and delete that cluster, similar to Cluster Owner. The one exception is that a Cluster Editor cannot grant roles on a cluster to other users. Only a Cluster Owner or an Organization Administrator in the Red Hat account can configure role bindings on clusters.

5.2. Configuring user access to clusters in OpenShift Cluster Manager

5.2.1. Viewing user roles and access on a cluster

You can view a list of users with assigned roles on a cluster from the OCM Roles and Access screen.

If you are an Organization Administrator in the Red Hat account or the Cluster Owner, you can also edit the users and their access to the cluster from this screen. Other users can only view information about users and roles on a cluster.

Prerequisites

  • A Red Hat login
  • An existing OpenShift cluster in your organization

Procedure

  1. Select your cluster from the Clusters list.
  2. Click Access Control > OCM Roles and Access to see a list of users with assigned roles to access the cluster.

5.2.2. Granting Cluster Editor access to a cluster

After you create an OpenShift cluster, you can grant Cluster Editor access to other users on your cluster. This enables members of your team to manage the cluster without being an Organization Administrator in the Red Hat account.

Prerequisites

  • A Red Hat login
  • An existing OpenShift cluster
  • You must be the Cluster Owner on the cluster, or Organization Administrator in your Red Hat account
  • The user you want to grant access to must be in your organization

Procedure

To grant the Cluster Editor role to a user in your organization:

  1. Select your cluster from the Clusters list.
  2. Click Access Control > OCM Roles and Access.
  3. Click Grant role. The Cluster Editor role is pre-selected.
  4. Enter the Red Hat login for the user.
  5. Click Grant role to confirm the role assignment.

Verification

The user is listed on the OCM Roles and Access screen with the Cluster Editor role assigned, and will be able to edit the cluster.

5.2.3. Revoking Cluster Editor access from a cluster

You can revoke a user’s permissions to edit a cluster if you are the Cluster Owner or Organization Administrator.

Prerequisites

  • A Red Hat login
  • An existing OpenShift cluster
  • You must be the Cluster Owner on the cluster, or Organization Administrator in your Red Hat account
  • A user in your organization with Cluster Editor access on the cluster

Procedure

To revoke Cluster Editor access from a user:

  1. Select your cluster from the Clusters list.
  2. Click Access Control > OCM Roles and Access.
  3. Click more options (more options) next to the user on the list, then Delete.
  4. Click Confirm.

Verification

The user is not displayed in the users list in OCM Roles and Access, and will no longer be able to edit the cluster.