Understanding administration roles

The cluster-admin role

As an administrator of an OpenShift Dedicated cluster with Customer Cloud Subscriptions (CCS), you have access to the cluster-admin role. The user who created the cluster can add the cluster-admin user role to an account to have the maximum administrator privileges. These privileges are not automatically assigned to your user account when you create the cluster. While logged in to an account with the cluster-admin role, users have mostly unrestricted access to control and configure the cluster. There are some configurations that are blocked with webhooks to prevent destabilizing the cluster, or because they are managed in OpenShift Cluster Manager (OCM) and any in-cluster changes would be overwritten. Usage of the cluster-admin role is subject to the restrictions listed in your Appendix 4 agreement with Red Hat. As a best practice, limit the number of cluster-admin users to as few as possible.

The dedicated-admin role

As an administrator of an OpenShift Dedicated cluster, your account has additional permissions and access to all user-created projects in your organization’s cluster. While logged in to an account with the dedicated-admin role, the developer CLI commands (under the oc command) allow you increased visibility and management capabilities over objects across projects, while the administrator CLI commands (under the oc adm command) allow you to complete additional operations.

While your account does have these increased permissions, the actual cluster maintenance and host configuration is still performed by the OpenShift Operations Team. If you would like to request a change to your cluster that you cannot perform using the administrator CLI, open a support case on the Red Hat Customer Portal.

Managing OpenShift Dedicated administrators

Administrator roles are managed using a cluster-admin or dedicated-admin group on the cluster. Existing members of this group can edit membership through OpenShift Cluster Manager (OCM).

Adding a user

Procedure
  1. Navigate to the Cluster Details page and Access Control tab.

  2. Click the Add user button (first user only).

  3. Enter the user name and select the group.

  4. Click the Add button.

Adding a user to the cluster-admin group can take several minutes to complete.

Existing dedicated-admin users cannot also be added to the cluster-admin group. You must first remove the user from the dedicated-admin group before adding the user to the cluster-admin group.

Removing a user

Procedure
  1. Navigate to the Cluster Details page and Access Control tab.

  2. Click the Options menu kebab to the right of the user and group combination and click Delete.