On linux machine you can use sudo to execute commands and so far I thought there is no equivalent approach in OpenShift. How mistaken I was! It looks like since OpenShift 3.1 the APIs allow to pass additional argument with the name of the user to impersonate.
Give the developer a sudoers role
On my minishift instance I add sudoer role to the default developer user.
$ oc whoami
$ oc login -u system:admin
Logged into "https://192.168.42.6:8443" as "system:admin" using existing credentials.
role "sudoer" added: "developer"
$ oc login -u developer
Logged into "https://192.168.42.6:8443" as "developer" using existing credentials.
Using the new role
Starting from now, the developer user can execute commands as a system:admin. For example listing all nodes is possible, which does not work without the impersonation.
Error from server (Forbidden): User "developer" cannot list all nodes in the cluster
NAME STATUS AGE
192.168.42.6 Ready 6d
I executed the commands using minishift and the following client/server versions of OpenShift.
OpenShift origin impersonation docs: https://docs.openshift.org/latest/architecture/additional_concepts/authentication.html#authentication-impersonation
Thanks for reading the OpenShift morsels. To get updates about new articles, you can sign up to the newsletter below.
As a thank you message, you will also get access to OpenShift CLI CheatSheet listing most commonly used commands together with a short explanation.