Bartosz Bierkowski - Low dose cloud

OpenShift Morsels: check permissions in project

On day #15 we will take a look at the complementary actions that give you an overview on permissions from different perspective.

Yesterday, we had a look at learning how what your account can do in OpenShift: OpenShift Morsels: check your user’s permissions.

On the other hand it is good to learn who has certain permission in the project.

You can see here detailed list of users, mostly service accounts, that can list pods in your project. This also reveals a bit of information how kubernetes and OpenShift work. Most of the service accounts that have access to your projects are controllers that steer the behaviour of the whole system.

Next step is to check who can execute these operations on cluster level. The flag --all-namespaces  indicates that you have to have cluster level permissions to execute it. Unfortunatelly there is no API to target all the namespaces that you have access to. The default developer user in minishift does not have cluster level permissions as you can see below.

In minishift you can login as system:admin  to have cluster admin role

And then check who can list pods across the namespaces. As you can see in the output below, the namespace is now printed out as <all> .

In minishift you can also easier execute single instructions as a user with cluster admin privileges. As I described, you can impersonate the system:admin user: OpenShift CLI morsels: sudo and user impersonation. The only difference is that you work as a normal user and use --as system:admin  parameter.


The commands were executed using minishift and the following client/server versions of OpenShift.

oc v3.6.1+008f2d5
client kubernetes v1.6.1+5115d708d7
openshift v3.6.0+c4dd4cf
server kubernetes v1.6.1+5115d708d7


Thanks for reading the OpenShift morsels. To get updates about new articles, you can sign up to the newsletter below.

As a thank you message, you will also get access to OpenShift CLI CheatSheet listing most commonly used commands together with a short explanation.

Did you like the article?
Join the newsletter to receive notifications about new articles.
I respect your privacy.