Configure RBAC at project/namespace level in a multi-tenant environment

Resolution

Tenants cannot add users to groups as they require cluster-admin permissions. They will need to work with the administrators of the cluster in order to define and modify group membership. However, following work-around can be used to manage RBAC at project/namespace level.

Work-around:
Project admins have access to add users as members of a project, which are bound using RoleBinding objects.

When adding a user to the project, they can be added in one of the three primary roles.

• admin - A project manager. The user will have rights to view any resource in the project and modify any resource in the project except for quota. A user with this role for a project will be able to delete the project.

• edit - A user that can modify most objects in a project, but does not have the power to view or modify roles or bindings. A user with this role can create and delete applications in the project.

• view - A user who cannot make any modifications, but can see most objects in a project.

As a project admin, the following command can be executed to give relevant access to the user which will automatically create an associated RoleBinding in the namespace :

oc policy add-role-to-user <role> <user>

Examples:

oc policy add-role-to-user admin <username>

oc policy add-role-to-user edit <username>

oc policy add-role-to-user view <username>