How to restore ClusterRoles when accidentally deleted all ClusterRoles on OCP cluster

Solution Verified - Updated -

Issue

  • Accidentally deleted all ClusterRoles on the cluster
  • Can not login to API endpoint of the cluster using any user account
  • kubeadmin user also not available
  • Ran command oc delete ClusterRoles --all accidentally as cluster-admin

Logs

The OCP cluster is reporting following errors:

When trying to access api endpoint

$ oc get nodes
Error from server (Forbidden): nodes is forbidden: User "admin" cannot list resource "nodes" in API group "" at the cluster scope: RBAC: [clusterrole.rbac.authorization.k8s.io "basic-user" not found, clusterrole.rbac.authorization.k8s.io "cluster-admin" not found]

From one of the master nodes

$ oc adm policy who-can add clusterrole
Error during evaluation, results may not be complete: [clusterrole.rbac.authorization.k8s.io "cluster-admin" not found, clusterrole.rbac.authorization.k8s.io "basic-user" not found, clusterrole.rbac.authorization.k8s.io "admin" not found, clusterrole.rbac.authorization.k8s.io "alertmanager-main" not found, clusterrole.rbac.authorization.k8s.io "cloud-credential-operator-role" not found]

Environment

  • Red Hat OpenShift Container Platform 4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content