How to add cluster-admin or dedicated-admin role to a group in OSD/ROSA
Environment
- Red Hat OpenShift Service on AWS (ROSA)
- 4
- Red Hat OpenShift Dedicated (OSD)
- 4
Issue
- Is it possible to add the
cluster-admin
or thededicated-admin
role to a group in OSD/ROSA? - From the OCM console or the
rosa
CLI, it's only possible to add thecluster-admin
or thededicated-admin
role to a user, but not to a group.
Resolution
Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
It's not possible to add roles to a group through the OCM console or the rosa
CLI directly, but there are some workarounds:
Add a role to a list of users
Using the rosa
cli, it's possible to use an script to grant the permissions to several users with the following command:
$ rosa grant user [role_name] --user=[idp_user_name] --cluster=[cluster_name]
Refer to Granting cluster-admin
access and Granting dedicated-admin
access for additional information.
Add a role to a group and sync the group
It's possible to add a role
or a clusterrole
to a group using the oc
CLI:
$ oc adm policy add-role-to-group [role_name] [group_name]
$ oc adm policy add-cluster-role-to-group [role_name] [group_name]
And sync the LDAP groups in OCP following the documentation for Syncing LDAP groups.
Note: It's possible to use the Group Sync Operator, but note that this is a community operator not supported by Red Hat support.
Root Cause
It's not possible to add roles to a group through the OCM console or the rosa
CLI because the group ownership is managed by OCM, but OCM cannot communicate with the IdP solution.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments