This documentation is work in progress and might not be complete or fully tested.
This documentation is work in progress and might not be complete or fully tested.

API impersonation

You can configure a request to the OpenShift Container Platform API to act as though it originated from another user. For more information, see User impersonation in the Kubernetes documentation.

Impersonating the system:admin user

You can grant a user permission to impersonate system:admin, which grants them cluster administrator permissions.

Procedure
  • To grant a user permission to impersonate system:admin, run the following command:

    $ oc create clusterrolebinding <any_valid_name> --clusterrole=sudoer --user=<username>

Impersonating the system:admin group

When a system:admin user is granted cluster administration permissions through a group, you must include the --as=<user> --as-group=<group1> --as-group=<group2> parameters in the command to impersonate the associated groups.

Procedure
  • To grant a user permission to impersonate a system:admin by impersonating the associated cluster administration groups, run the following command:

    $ oc create clusterrolebinding <any_valid_name> --clusterrole=sudoer --as=<user> \
    --as-group=<group1> --as-group=<group2>