As an administrator of an OpenShift Dedicated cluster, your account has additional permissions and access to all user-created projects in your organization’s cluster. While logged in to an account with this role, the basic developer CLI (the oc command) allows you increased visibility and management capabilities over objects across projects, while the administrator CLI (commands under the oc adm command) allow you to complete additional operations.

While your account does have these increased permissions, the actual cluster maintenance and host configuration is still performed by the OpenShift Operations Team. If you would like to request a change to your cluster that you cannot perform using the administrator CLI, open a support case on the Red Hat Customer Portal.

Logging in and verifying permissions

You can log in as an OpenShift Dedicated cluster administration via the web console or CLI, just as you would if you were an application developer.

When you log in to the web console, all user-created projects across the cluster are visible from the main Projects page.

Use the standard oc login command to log in with the CLI:

$ oc login <your_instance_url>

All projects are visible using:

$ oc get projects

When your account has the dedicated-admins-cluster cluster role bound to it, you are automatically bound to the dedicated-admins-project for any new projects that are created by users in the cluster.

To verify if your account has administrator privileges, run the following command against a user-created project to view its default role bindings. If you are a cluster administrator, you will see your account listed under subjects for the dedicated-admins-project-0 and dedicated-admins-project-1 role bindings for the project:

$ oc describe rolebinding.rbac -n <project_name>

Name:		admin
Labels:		<none>
Annotations:	<none>
  Kind:	ClusterRole
  Name:	admin
  Kind	Name			Namespace
  ----	----			---------
  User (1)

Name:		dedicated-admins-project
Labels:		<none>
Annotations:	<none>
  Kind:	ClusterRole
  Name:	dedicated-admins-project
  Kind	Name			Namespace
  ----	----			---------
  User (2)
  User (2)
1 The user is a normal, project-scoped administrator for this project.
2 The and users are cluster administrators.

To view details on your increased permissions, and the sets of verbs and resources associated with the dedicated-admins-cluster and dedicated-admins-project roles, run the following:

$ oc describe clusterrole.rbac dedicated-admins-cluster
$ oc describe clusterrole.rbac dedicated-admins-project

Managing OpenShift Dedicated administrators

Administrator roles are managed using a dedicated-admins group on the cluster. Existing members of this group can edit membership via the Red Hat OpenShift Cluster Manager site.

Adding a user

  1. Navigate to the Cluster Details page and Users tab.

  2. Click the Add user button. (first user only)

  3. Enter the user name and select the group (dedicated-admins)

  4. Click the Add button.

Removing a user

  1. Navigate to the Cluster Details page and Users tab.

  2. Click the X to the right of the user / group combination to be deleted..

Granting permissions to users or groups

To grant permissions to other users or groups, you can add, or bind, a role to them using the following commands:

$ oc adm policy add-role-to-user <role> <user_name>
$ oc adm policy add-role-to-group <role> <group_name>

Managing service accounts

Service accounts are API objects that exist within each project. To manage service accounts, you can use the oc command with the sa or serviceaccount object type or use the web console.

The dedicated-admin service creates the dedicated-admins group. This group is granted the roles at the cluster or individual project level. Users can be assigned to this group and group membership defines who has OpenShift Dedicated administrator access. However, by design, service accounts cannot be added to regular groups.

Instead, the dedicated-admin service creates a special project for this purpose named dedicated-admin. The service account group for this project is granted OpenShift Dedicated admin roles, granting OpenShift Dedicated administrator access to all service accounts within the dedicated-admin project. These service accounts can then be used to perform any actions that require OpenShift Dedicated administrator access.

Users that are members of the dedicated-admins group, and thus have been granted the dedicated-admin role, have edit access to the dedicated-admin project. This allows these users to manage the service accounts in this project and create new ones as needed.

To get a list of existing service accounts in the current project, run:

$ oc get sa
builder    2         2d
default    2         2d
deployer   2         2d

To create a new service account, run:

$ oc create sa <service-account-name>

As soon as a service account is created, two secrets are automatically added to it:

  • an API token

  • credentials for the OpenShift Container Registry

These can be seen by describing the service account:

$ oc describe sa <service-account-name>

The system ensures that service accounts always have an API token and registry credentials.

The generated API token and registry credentials do not expire, but they can be revoked by deleting the secret. When the secret is deleted, a new one is automatically generated to take its place.

Managing quotas and limit ranges

As an administrator, you are able to view, create, and modify quotas and limit ranges on other projects. This allows you to better constrain how compute resources and objects are consumed by users across the cluster.

Installing Operators from the OperatorHub

OpenShift Dedicated administrators can install Operators from OperatorHub. This makes the Operator available to all developers on your cluster to create Custom Resources and applications using that Operator.

Administrators can only install Operators to the default openshift-operators namespace, except for the Cluster Logging Operator, which requires the openshift-logging namespace.

OLM supports only the official Operator sources, including certified,community, and redhat, for Operators to be installed using OperatorHub.

Additional resources