Overview

As an administrator of an OpenShift Dedicated cluster, your account has additional permissions and access to all user-created projects in your organization’s cluster. While logged in to an account with this role, the basic developer CLI (the oc command) allows you increased visibility and management capabilities over objects across projects, while the administrator CLI (commands under the oc adm command, and formerly the oadm command) open up additional operations.

While your account does have these increased permissions, the actual cluster maintenance and host configuration is still performed by the OpenShift Operations Team. If you would like to request a change to your cluster that you cannot perform using the administrator CLI, open a support case on the Red Hat Customer Portal.

Downloading the CLI

The oc CLI used for both normal developer operations and administrator operations is available for download from the Command Line Tools page in the web console. See Get Started with the CLI for more detailed installation steps.

Logging In and Verifying Permissions

You can log in as an OpenShift Dedicated cluster administration via the web console or CLI, just as you would if you were an application developer.

When you log in to the web console, all user-created projects across the cluster are visible from the main Projects page.

Use the standard oc login command to log in with the CLI:

$ oc login <your_instance_url>

All projects are visible using:

$ oc get projects

When your account has the dedicated-cluster-admin cluster role bound to it, you are automatically bound to the dedicated-project-admin for any new projects that are created by users in the cluster.

To verify if your account has administrator privileges, run the following command against a user-created project to view its default role bindings. If you are a cluster administrator, you will see your account listed under subjects for the dedicated-project-admin role binding for the project:

$ oc describe rolebinding.rbac -n <project_name>

Name:		admin
Labels:		<none>
Annotations:	<none>
Role:
  Kind:	ClusterRole
  Name:	admin
Subjects:
  Kind	Name			Namespace
  ----	----			---------
  User	fred@example.com (1)


Name:		dedicated-project-admin
Labels:		<none>
Annotations:	<none>
Role:
  Kind:	ClusterRole
  Name:	dedicated-project-admin
Subjects:
  Kind	Name			Namespace
  ----	----			---------
  User	alice@example.com (2)
  User	bob@example.com (2)
...
1 The fred@example.com user is a normal, project-scoped administrator for this project.
2 The alice@example.com and bob@example.com users are cluster administrators.

To view details on your increased permissions, and the sets of verbs and resources associated with the dedicated-cluster-admin and dedicated-project-admin roles, run the following:

$ oc describe clusterrole.rbac dedicated-cluster-admin
$ oc describe clusterrole.rbac dedicated-project-admin

Managing Dedicated Administrators

Administrator roles are managed using a dedicated-admins group on the cluster. Existing members of this group can edit membership. To view a list of current dedicated administrators by user name, you can use the following command:

$ oc describe group dedicated-admins

To add a new member to the dedicated-admins group:

$ oc adm groups add-users dedicated-admins <user_name>

To remove an existing user from the dedicated-admins group:

$ oc adm groups remove-users dedicated-admins <user_name>

If this group is currently empty or if you need assistance editing group membership, open a support case on the Red Hat Customer Portal.

Managing the Dedicated Readers Group

Users with a dedicated-reader role are granted edit and view access to the dedicated-reader project and view-only access to the other projects.

To view a list of current dedicated readers by user name, you can use the following command:

$ oc describe group dedicated-readers

To add a new member to the dedicated-readers group, if you have dedicated-admin access:

$ oc adm groups add-users dedicated-readers <user_name>

To remove an existing user from the dedicated-readers group, if you have dedicated-admin access:

$ oc adm groups remove-users dedicated-readers <user_name>

Granting Permissions to Users or Groups

To grant permissions to other users or groups, you can add, or bind, a role to them using the following commands:

$ oc adm policy add-role-to-user <role> <user_name>
$ oc adm policy add-role-to-group <role> <group_name>

See Managing RBAC for more details on these and related authorization tasks.

Creating Service Accounts

You can create a service account to be able to run applications like Jenkins that make calls back to OpenShift Dedicated.

See the Developer Guide for basic service account management tasks, which as a cluster administrator you can perform in any user-created project, and see Configuring Service Accounts for more advanced, cluster-wide settings.

Managing Quotas and Limit Ranges

As an administrator, you are able to view, create, and modify quotas and limit ranges on other projects. This allows you to better constrain how compute resources and objects are consumed by users across the cluster.

Defaults can be set for quotas and limit ranges for new projects at creation. To request such a change, open a support case on the Red Hat Customer Portal.

What’s Next?

Further explore the Cluster Administration guide for more reference information on what’s possible with your role and what other cluster settings can be configured for you by the OpenShift Operations Team.