Administering a cluster

OpenShift Dedicated 4

An overview of administering a cluster for OpenShift Dedicated 4

Red Hat OpenShift Documentation Team


This document provides details on how to administer an OpenShift Dedicated 4 cluster.

Chapter 1. The dedicated-admin role

As an administrator of an OpenShift Dedicated cluster, your account has additional permissions and access to all user-created projects in your organization’s cluster. While logged in to an account with this role, the basic developer CLI (the oc command) allows you increased visibility and management capabilities over objects across projects, while the administrator CLI (commands under the oc adm command) allow you to complete additional operations.


While your account does have these increased permissions, the actual cluster maintenance and host configuration is still performed by the OpenShift Operations Team. If you would like to request a change to your cluster that you cannot perform using the administrator CLI, open a support case on the Red Hat Customer Portal.

1.1. Logging in and verifying permissions

You can log in as an OpenShift Dedicated cluster administration via the web console or CLI, just as you would if you were an application developer.

When you log in to the web console, all user-created projects across the cluster are visible from the main Projects page.

Use the standard oc login command to log in with the CLI:

$ oc login <your_instance_url>

All projects are visible using:

$ oc get projects

When your account has the dedicated-admins-cluster cluster role bound to it, you are automatically bound to the dedicated-admins-project for any new projects that are created by users in the cluster.

To verify if your account has administrator privileges, run the following command against a user-created project to view its default role bindings. If you are a cluster administrator, you will see your account listed under subjects for the dedicated-admins-project-0 and dedicated-admins-project-1 role bindings for the project:

$ oc describe rolebinding.rbac -n <project_name>

Name:		admin
Labels:		<none>
Annotations:	<none>
  Kind:	ClusterRole
  Name:	admin
  Kind	Name			Namespace
  ----	----			---------
  User 1

Name:		dedicated-admins-project
Labels:		<none>
Annotations:	<none>
  Kind:	ClusterRole
  Name:	dedicated-admins-project
  Kind	Name			Namespace
  ----	----			---------
  User 2
  User 3
The user is a normal, project-scoped administrator for this project.
2 3
The and users are cluster administrators.

To view details on your increased permissions, and the sets of verbs and resources associated with the dedicated-admins-cluster and dedicated-admins-project roles, run the following:

$ oc describe clusterrole.rbac dedicated-admins-cluster
$ oc describe clusterrole.rbac dedicated-admins-project

1.2. Managing OpenShift Dedicated administrators

Administrator roles are managed using a dedicated-admins group on the cluster. Existing members of this group can edit membership via the Red Hat OpenShift Cluster Manager site.

1.2.1. Adding a user

  1. Navigate to the Cluster Details page and Users tab.
  2. Click the Add user button. (first user only)
  3. Enter the user name and select the group (dedicated-admins)
  4. Click the Add button.

1.2.2. Removing a user

  1. Navigate to the Cluster Details page and Users tab.
  2. Click the X to the right of the user / group combination to be deleted..

1.3. Granting permissions to users or groups

To grant permissions to other users or groups, you can add, or bind, a role to them using the following commands:

$ oc adm policy add-role-to-user <role> <user_name>
$ oc adm policy add-role-to-group <role> <group_name>

1.4. Managing service accounts

Service accounts are API objects that exist within each project. To manage service accounts, you can use the oc command with the sa or serviceaccount object type or use the web console.

The dedicated-admin service creates the dedicated-admins group. This group is granted the roles at the cluster or individual project level. Users can be assigned to this group and group membership defines who has OpenShift Dedicated administrator access. However, by design, service accounts cannot be added to regular groups.

Instead, the dedicated-admin service creates a special project for this purpose named dedicated-admin. The service account group for this project is granted OpenShift Dedicated admin roles, granting OpenShift Dedicated administrator access to all service accounts within the dedicated-admin project. These service accounts can then be used to perform any actions that require OpenShift Dedicated administrator access.

Users that are members of the dedicated-admins group, and thus have been granted the dedicated-admin role, have edit access to the dedicated-admin project. This allows these users to manage the service accounts in this project and create new ones as needed.

To get a list of existing service accounts in the current project, run:

$ oc get sa
builder    2         2d
default    2         2d
deployer   2         2d

To create a new service account, run:

$ oc create sa <service-account-name>

As soon as a service account is created, two secrets are automatically added to it:

  • an API token
  • credentials for the OpenShift Container Registry

These can be seen by describing the service account:

$ oc describe sa <service-account-name>

The system ensures that service accounts always have an API token and registry credentials.

The generated API token and registry credentials do not expire, but they can be revoked by deleting the secret. When the secret is deleted, a new one is automatically generated to take its place.

1.5. Managing quotas and limit ranges

As an administrator, you are able to view, create, and modify quotas and limit ranges on other projects. This allows you to better constrain how compute resources and objects are consumed by users across the cluster.

1.6. Installing Operators from the OperatorHub

OpenShift Dedicated administrators can install Operators from a curated list provided by the OperatorHub. This makes the Operator available to all developers on your cluster to create Custom Resources and applications using that Operator.


Privileged and custom Operators cannot be installed.

Administrators can only install Operators to the default openshift-operators namespace, except for the Cluster Logging Operator, which requires the openshift-logging namespace.

Additional resources

Chapter 2. The cluster-admin role

As an administrator of OpenShift Dedicated with Customer Cloud Subscriptions (CCS), you can request additional permissions and access to the cluster-admin role within your organization’s cluster. While logged into an account with the cluster-admin role, users have increased permissions to run privileged security contexts and install additional Operators for their environment.

2.1. Enabling the cluster-admin role for your cluster

The cluster-admin role must be enabled at the cluster level before it can be assigned to a user.


  1. Open a technical support case with Red Hat to request that cluster-admin be enabled for your cluster.


  1. In the OpenShift Cluster Manager, select the cluster you want to assign cluster-admin privileges.
  2. Under the Actions dropdown menu, select Allow cluster-admin access.

2.2. Granting the cluster-admin role to users

After enabling cluster-admin rights on your cluster, you can assign the role to users.


  • Cluster access with cluster owner permissions


  1. In the OpenShift Cluster Manager, select the cluster you want to assign cluster-admin privileges.
  2. Under the Access Control tab, locate the Cluster Administrative Users section. Click Add user.
  3. After determining an appropriate User ID, select cluster-admin from the Group selection, then click Add user.


    Cluster-admin user creation can take several minutes to complete.


    Existing dedicated-admin users cannot elevate their role to cluster-admin. A new user must be created with the cluster-admin role assigned.

Legal Notice

Copyright © 2020 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.