How to remove cluster-admin built-in user on ROSA ?
Environment
- Red Hat OpenShift Service on AWS
Issue
- How to remove the cluster-admin user for security?
- How to grant cluster-admin cluster role to another user of the identity provider on ROSA instead of cluster-admin built-in user?
Resolution
- Remove the cluster-admin built-in user as follows.
$ rosa delete admin --help
Deletes the cluster-admin user used to login to the cluster
Examples:
# Delete the admin user
rosa delete admin --cluster=mycluster
- Admin roles can also be granted and revoked as follows.
// Grant the admin roles to users
$ rosa grant user --help
Grant user access to cluster under a specific role
Examples:
# Add cluster-admin role to a user
rosa grant user cluster-admin --user=myusername --cluster=mycluster
# Grant dedicated-admins role to a user
rosa grant user dedicated-admin --user=myusername --cluster=mycluster
// Revoke the admin roles from users
$ rosa revoke user --help
Revoke role from cluster user
Examples:
# Revoke cluster-admin role from a user
rosa revoke user cluster-admins --user=myusername --cluster=mycluster
# Revoke dedicated-admin role from a user
rosa revoke user dedicated-admins --user=myusername --cluster=mycluster
- As a best practice, access the cluster with an IDP account instead.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments