Impersonating the system:admin user
API impersonation
You can configure a request to the OKD API to act as though it originated from another user. For more information, see User impersonation in the Kubernetes documentation.
Impersonating the system:admin user
You can grant a user permission to impersonate system:admin
, which grants them cluster administrator permissions.
Procedure
To grant a user permission to impersonate
system:admin
, run the following command:$ oc create clusterrolebinding <any_valid_name> --clusterrole=sudoer --user=<username>
You can alternatively apply the following YAML to grant permission to impersonate
system:admin
:apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: <any_valid_name>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: sudoer
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <username>
Impersonating the system:admin group
When a system:admin
user is granted cluster administration permissions through a group, you must include the --as=<user> --as-group=<group1> --as-group=<group2>
parameters in the command to impersonate the associated groups.
Procedure
To grant a user permission to impersonate a
system:admin
by impersonating the associated cluster administration groups, run the following command:$ oc create clusterrolebinding <any_valid_name> --clusterrole=sudoer --as=<user> \
--as-group=<group1> --as-group=<group2>