How to list users with role cluster-admin in OpenShift?

Question

I can add users to the cluster-role "cluster-admin" with:

oc adm policy add-cluster-role-to-user cluster-admin <user>

But how can I list all users with the role cluster-admin?

Environment: OpenShift 3.x

tlo · Accepted Answer · 2018-05-04T08:10:21.850

10

Found it myself:

It's in the RoleBinding[cluster-admins]: section of:

oc describe clusterPolicyBindings :default

With jq you can get the list of users in one command:

oc get --all-namespaces --output json clusterPolicyBindings | jq '.items[].roleBindings[] | select(.name=="cluster-admins") | .roleBinding.userNames'

For OpenShift 3.7 and newer:

oc get clusterrolebindings -o json | jq '.items[] | select(.metadata.name=="cluster-admins") | .userNames'

edited May 04 '18 at 08:10

answered Jul 20 '17 at 13:49

tlo

548
2
8
24

if anyone is looking for how to check a user has a local role binding in a script to know whether to grant it i used this answer to come up with this that works on openshift 3.11 https://github.com/ocd-scm/ocd-environment-webhook/blob/c87f67182b4e49388b9682e0a2c1767b3ef42625/install.sh#L76 – simbo1905 Feb 02 '19 at 21:04

score 2 · Answer 2 · answered Aug 17 '18 at 11:47

in openshift 3.9 the cluster admins are located in different dictionaries(cluster-admin-0,cluster-admin-1, and so on). To list them:

oc get clusterrolebinding -o json | jq '.items[] | select(.metadata.name |  startswith("cluster-admin")) | .userNames'

score 0 · Answer 3 · answered Dec 15 '21 at 14:10

0

Openshift 4.8

oc get clusterrolebindings -o json |
  jq '.items[] | select(.metadata.name=="cluster-admins") | .subjects[].name'

answered Dec 15 '21 at 14:10

sastorsl

362
2
15

score 0 · Answer 4 · answered Sep 20 '22 at 20:09

Most of the above responses do not address OP's question:

But how can I list all users with the role cluster-admin?

Instead they are getting the users behind a very specific clusterrolebinding named cluster-admins, not all users belonging to any clusterrolebinding that gets the ClusterRole/cluster-admin.

For that, in OpenShift 4.8, you would filter by the role asigned to the clusterrolebinding first, and then get the users

oc get clusterrolebindings -o json |jq '.items[] |select(.roleRef.name=="cluster-admin") |.subjects[] |select(.kind=="User") |.name'

score 0 · Answer 5 · answered May 17 '18 at 13:43

From my side command for Openshift 3.7+ is for cluster-admins :

oc get --all-namespaces --output json clusterPolicyBindings | jq '.items[].roleBindings[] | select(.name=="cluster-admin") | .roleBinding.userNames'

For cluster-reader role :

oc get clusterrolebindings -o json | jq '.items[] | select(.metadata.name=="cluster-readers") | .userNames'

How to list users with role cluster-admin in OpenShift?

5 Answers5