Chapter 4. Administering an OpenShift Dedicated Cluster
As an administrator of an OpenShift Dedicated cluster, your account has additional permissions and access to all user-created projects in your organization’s cluster. While logged in to an account with this role, the basic developer CLI (the
oc command) allows you increased visibility and management capabilities over objects across projects, while the administrator CLI (commands under the
oc adm command, and formerly the
oadm command) open up additional operations.
While your account does have these increased permissions, the actual cluster maintenance and host configuration is still performed by the OpenShift Operations Team. If you would like to request a change to your cluster that you cannot perform using the administrator CLI, open a support case on the Red Hat Customer Portal.
4.2. Downloading the CLI
oc CLI used for both normal developer operations and administrator operations is available for download from the Command Line Tools page in the web console. See Get Started with the CLI for more detailed installation steps.
4.3. Logging In and Verifying Permissions
You can log in as an OpenShift Dedicated cluster administration via the web console or CLI, just as you would if you were an application developer.
When you log in to the web console, all user-created projects across the cluster are visible from the main Projects page.
Use the standard
oc login command to log in with the CLI:
$ oc login <your_instance_url>
All projects are visible using:
$ oc get projects
When your account has the dedicated-cluster-admin cluster role bound to it, you are automatically bound to the dedicated-project-admin for any new projects that are created by users in the cluster.
To verify if your account has administrator privileges, run the following command against a user-created project to view its default role bindings. If you are a cluster administrator, you will see your account listed under subjects for the dedicated-project-admin role binding for the project:
$ oc describe rolebinding.rbac -n <project_name> Name: admin Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: admin Subjects: Kind Name Namespace ---- ---- --------- User email@example.com 1 Name: dedicated-project-admin Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: dedicated-project-admin Subjects: Kind Name Namespace ---- ---- --------- User firstname.lastname@example.org 2 User email@example.com 3 ...
To view details on your increased permissions, and the sets of verbs and resources associated with the dedicated-cluster-admin and dedicated-project-admin roles, run the following:
$ oc describe clusterrole.rbac dedicated-cluster-admin $ oc describe clusterrole.rbac dedicated-project-admin
4.4. Managing Dedicated Administrators
Administrator roles are managed using a
dedicated-admins group on the cluster. Existing members of this group can edit membership. To view a list of current dedicated administrators by user name, you can use the following command:
$ oc describe group dedicated-admins
To add a new member to the
$ oc adm groups add-users dedicated-admins <user_name>
To remove an existing user from the
$ oc adm groups remove-users dedicated-admins <user_name>
If this group is currently empty or if you need assistance editing group membership, open a support case on the Red Hat Customer Portal.
4.5. Granting Permissions to Users or Groups
To grant permissions to other users or groups, you can add, or bind, a role to them using the following commands:
$ oc adm policy add-role-to-user <role> <user_name> $ oc adm policy add-role-to-group <role> <group_name>
See Managing RBAC for more details on these and related authorization tasks.
4.6. Creating Service Accounts
You can create a service account to be able to run applications like Jenkins that make calls back to OpenShift Dedicated.
See the Developer Guide for basic service account management tasks, which as a cluster administrator you can perform in any user-created project, and see Configuring Service Accounts for more advanced, cluster-wide settings.
4.7. Managing Quotas and Limit Ranges
As an administrator, you are able to view, create, and modify quotas and limit ranges on other projects. This allows you to better constrain how compute resources and objects are consumed by users across the cluster.
Defaults can be set for quotas and limit ranges for new projects at creation. To request such a change, open a support case on the Red Hat Customer Portal.
4.8. What’s Next?
Further explore the Cluster Administration guide for more reference information on what’s possible with your role and what other cluster settings can be configured for you by the OpenShift Operations Team.