Impersonating the system:admin user

API impersonation

You can configure a request to the OKD API to act as though it originated from another user. For more information, see User impersonation in the Kubernetes documentation.

Impersonating the system:admin user

You can grant a user permission to impersonate system:admin, which grants them cluster administrator permissions.

Procedure

  • To grant a user permission to impersonate system:admin, run the following command:

    1. $ oc create clusterrolebinding <any_valid_name> --clusterrole=sudoer --user=<username>

    You can alternatively apply the following YAML to grant permission to impersonate system:admin:

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. kind: ClusterRoleBinding
    3. metadata:
    4. name: <any_valid_name>
    5. roleRef:
    6. apiGroup: rbac.authorization.k8s.io
    7. kind: ClusterRole
    8. name: sudoer
    9. subjects:
    10. - apiGroup: rbac.authorization.k8s.io
    11. kind: User
    12. name: <username>

Impersonating the system:admin group

When a system:admin user is granted cluster administration permissions through a group, you must include the --as=<user> --as-group=<group1> --as-group=<group2> parameters in the command to impersonate the associated groups.

Procedure

  • To grant a user permission to impersonate a system:admin by impersonating the associated cluster administration groups, run the following command:

    1. $ oc create clusterrolebinding <any_valid_name> --clusterrole=sudoer --as=<user> \
    2. --as-group=<group1> --as-group=<group2>