The dedicated-admin role | Administering a cluster

Logging in and verifying permissions
Managing OpenShift Dedicated administrators
- Adding a user
- Removing a user
Granting permissions to users or groups
Managing service accounts
Managing quotas and limit ranges
Installing Operators from the OperatorHub

As an administrator of an OpenShift Dedicated cluster, your account has additional permissions and access to all user-created projects in your organization’s cluster. While logged in to an account with this role, the basic developer CLI (the oc command) allows you increased visibility and management capabilities over objects across projects, while the administrator CLI (commands under the oc adm command) allow you to complete additional operations.

While your account does have these increased permissions, the actual cluster maintenance and host configuration is still performed by the OpenShift Operations Team. If you would like to request a change to your cluster that you cannot perform using the administrator CLI, open a support case on the Red Hat Customer Portal.

Logging in and verifying permissions

You can log in as an OpenShift Dedicated cluster administration via the web console or CLI, just as you would if you were an application developer.

When you log in to the web console, all user-created projects across the cluster are visible from the main Projects page.

Use the standard oc login command to log in with the CLI:

$ oc login <your_instance_url>

All projects are visible using:

$ oc get projects

When your account has the dedicated-admins-cluster cluster role bound to it, you are automatically bound to the dedicated-admins-project for any new projects that are created by users in the cluster.

To verify if your account has administrator privileges, run the following command against a user-created project to view its default role bindings. If you are a cluster administrator, you will see your account listed under subjects for the dedicated-admins-project-0 and dedicated-admins-project-1 role bindings for the project:

$ oc describe rolebinding.rbac -n <project_name>

Name:		admin
Labels:		<none>
Annotations:	<none>
Role:
  Kind:	ClusterRole
  Name:	admin
Subjects:
  Kind	Name			Namespace
  ----	----			---------
  User	fred@example.com (1)


Name:		dedicated-admins-project
Labels:		<none>
Annotations:	<none>
Role:
  Kind:	ClusterRole
  Name:	dedicated-admins-project
Subjects:
  Kind	Name			Namespace
  ----	----			---------
  User	alice@example.com (2)
  User	bob@example.com (2)
...

1	The `fred@example.com` user is a normal, project-scoped administrator for this project.
2	The `alice@example.com` and `bob@example.com` users are cluster administrators.

To view details on your increased permissions, and the sets of verbs and resources associated with the dedicated-admins-cluster and dedicated-admins-project roles, run the following:

$ oc describe clusterrole.rbac dedicated-admins-cluster
$ oc describe clusterrole.rbac dedicated-admins-project

Managing OpenShift Dedicated administrators

Administrator roles are managed using a dedicated-admins group on the cluster. Existing members of this group can edit membership via the Red Hat OpenShift Cluster Manager site.

Adding a user

Navigate to the Cluster Details page and Users tab.
Click the Add user button. (first user only)
Enter the user name and select the group (dedicated-admins)
Click the Add button.

Removing a user

Navigate to the Cluster Details page and Users tab.
Click the X to the right of the user / group combination to be deleted..

Granting permissions to users or groups

To grant permissions to other users or groups, you can add, or bind, a role to them using the following commands:

$ oc adm policy add-role-to-user <role> <user_name>
$ oc adm policy add-role-to-group <role> <group_name>

Managing service accounts

Service accounts are API objects that exist within each project. To manage service accounts, you can use the oc command with the sa or serviceaccount object type or use the web console.

To get a list of existing service accounts in the current project, run:

$ oc get sa
NAME       SECRETS   AGE
builder    2         2d
default    2         2d
deployer   2         2d

To create a new service account, run:

$ oc create sa <service-account-name>

As soon as a service account is created, two secrets are automatically added to it:

an API token
credentials for the OpenShift Container Registry

These can be seen by describing the service account:

$ oc describe sa <service-account-name>

The system ensures that service accounts always have an API token and registry credentials.

The generated API token and registry credentials do not expire, but they can be revoked by deleting the secret. When the secret is deleted, a new one is automatically generated to take its place.

Managing quotas and limit ranges

As an administrator, you are able to view, create, and modify quotas and limit ranges on other projects. This allows you to better constrain how compute resources and objects are consumed by users across the cluster.

Installing Operators from the OperatorHub

OpenShift Dedicated administrators can install Operators from a curated list provided by the OperatorHub. This makes the Operator available to all developers on your cluster to create Custom Resources and applications using that Operator.

Privileged and custom Operators cannot be installed.

Administrators can only install Operators to the default openshift-operators namespace, except for the Cluster Logging Operator, which requires the openshift-logging namespace.

Additional resources

Adding Operators to a cluster