User Management Overview users ServiceAccounts Groups

In this lesson, we explore how OpenShift manages users, service accounts, and groups. Like Kubernetes and many other platforms, OpenShift employs robust authentication methods, identity grouping, and dedicated service accounts to execute automated tasks securely and efficiently.

Users

In OpenShift, a user is typically an individual who logs into the system. Examples include administrators, developers, or operators who manage resources on the platform. In addition to individual users, system users—often created and managed by the infrastructure—serve as cluster administrators with extensive privileges. It is important to note that system users should be used sparingly in day-to-day operations to mitigate the risk of unintended system-wide changes.

Below is a diagram illustrating the structure of regular users and system users along with their permission levels:

Creating a User

To create a new user via the OpenShift CLI, use the following command (for example, creating a user named "mike"):

oc create user mike

After creating the user, you must map an identity to associate the predefined policy with the user. Although an "allow all" rule exists by default in the cluster, mapping the identity ensures that the appropriate permissions are bound to the new user:

oc create useridentitymapping allow_all:mike

If you need to remove the user later, execute:

oc delete user mike

Service Accounts

Service accounts are special accounts designed for automated tasks and direct API access. For security reasons, it is best practice to create dedicated service accounts rather than using the default one, which, if compromised, may pose a significant security risk.

Service accounts are treated as API resources similar to Deployments, Services, or Ingresses in Kubernetes.

Creating and Managing Service Accounts

Create a service account using the following command (e.g., creating a service account named "mikesa"):

oc create sa mikesa

To verify that the service account has been successfully created, list all service accounts:

oc get sa

Service accounts are instrumental in interacting with the Kubernetes API. For instance, to grant the service account mikesa in the sockshop namespace view-only access, assign the corresponding role with:

oc policy add-role-to-user view system:serviceaccount:sockshop:mikesa

You can also apply roles to a service account via a group command if necessary:

oc policy add-role-to-group view system:serviceaccount:sockshop:mikesa

Groups

Groups in OpenShift allow you to manage permissions for multiple users collectively. This approach simplifies role assignment, as you can target a group rather than assigning permissions individually. For example, if an engineering team requires "view" access across various projects, adding all team members to a group and binding a role to that group is more efficient and manageable.

Groups can also be scoped to specific namespaces. If a particular team needs read/write access only within a designated namespace, create the group and bind the role accordingly.

Creating a Group

To create a new group that includes specific users, use the administrative command. For example, to create a group named "mikesgroup" comprising users "mike" and "michelle", run:

oc adm groups new mikesgroup mike michelle

To retrieve a list of groups and review their details, execute:

oc get groups

With this overview, you now have a solid understanding of how to create and manage users, service accounts, and groups in OpenShift. In the upcoming demo, we will demonstrate how these components are applied in real-world scenarios, solidifying your grasp of OpenShift's security and access control mechanisms.

For more information, refer to the OpenShift Documentation and explore related topics such as Kubernetes Basics.