Bartosz Bierkowski - Low dose cloud

OpenShift Morsels: check and grant roles

Continuing the topic of inspecting permissions in the projects on day #16

We had a look at checking specific permission to the resource OpenShift Morsels: check your user’s permissions and also looking at who has some permissions in the context of project in OpenShift Morsels: check permissions in project.

In OpenShift and since this year also in Kubernetes, the permissions are grouped into roles. It is much easier to manage it and grant a role than a set of permissions.

To list all role bindings in the project, you can use the command below. They are standard roles in the

Here you can see 5 role bindings, each having a different role. Some have users, groups or service accounts listed.

Describing a role binding returns prints out detailed list of permissions on resources. As you can see, the deployer has a minimal set of permissions granted by default. Just enough to perform successful deployments, but not to see builds or secrets in the project. You can learn how to test it from: OpenShift Morsels: login as a service account

The role binding is automatically created after the user is granted a role in the project. Lets create a service account and grant it role edit .

Using above the -z  indicates that my-editor  is a service account in current project. Without it the my-editor  will be displayed in users column. The difference is quite significant. Usually you need to use fully qualified service account name system:serviceaccounts:<project>:<service-account>.

Listing the rolebindings prints out the new connection between service account and the role. In the example below you can also see that I created the tester service account in project enterprise  and used its full name to grant it view role in project constellation . It is then displayed in users column, as I used the fully qualified service account name.

Giving the permissions to service account from another project. In this case I am in project constellation  and grant role to default  service account from enterprise  project


The commands were executed using minishift and the following client/server versions of OpenShift.

oc v3.6.1+008f2d5
client kubernetes v1.6.1+5115d708d7
openshift v3.6.0+c4dd4cf
server kubernetes v1.6.1+5115d708d7


Thanks for reading the OpenShift morsels. To get updates about new articles, you can sign up to the newsletter below.

As a thank you message, you will also get access to OpenShift CLI CheatSheet listing most commonly used commands together with a short explanation.

Did you like the article?
Join the newsletter to receive notifications about new articles.
I respect your privacy.