0

I have set up a collaborator account with the role "view". I now want to grant this user the ability to tag images using oc tag.

Following these instructions I have: 

oc get clusterrole view -o yaml > role_edittags.yaml
# 1. Update kind: ClusterRole to kind: Role
# 2. Update name: view to name: edittags
# 3. Remove resourceVersion, selfLink, uid, and creationTimestamp
# 4. split up the section with {imagestreamimages,imagestreammappings,imagestreams,imagestreamtags} into two sections:
- apiGroups:
  - image.openshift.io
  - ""
  attributeRestrictions: null
  resources:
  - imagestreamimages
  - imagestreammappings
  - imagestreams
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - image.openshift.io
  - ""
  attributeRestrictions: null
  resources:
  - imagestreamtags
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - deletecollection

I then oc project into the project where I want to grant the role and import it with:

$ oc create -f role_edittags.yaml role "edittags" created

When I try to grant it to the user I get an error:

$ oc policy add-role-to-user edittags myuser Error from server (NotFound): rolebindings.authorization.openshift.io "edittags" not found

How do I grant oc tag permissions to a user?

Thanks!

update:

I found a pre-existing role registry-editor listed in "example 1" on the link above that does the job:

$ oc policy add-role-to-user registry-editor myuser role "registry-editor" added: "myuser"

I am still curious to know how I might create a custom role if there isn't a ready made one. Thanks again!

simbo1905
  • 6,321
  • 5
  • 58
  • 86

2 Answers2

1

Please refer to the OpenShift Documentation on Creating a local role.

Specifically, to bind a user to a local role, you need to specify the --role-namespace to the oc policy add-role-to-user command.

Will Gordon
  • 3,303
  • 2
  • 11
  • 22
  • thanks for the link but I usually read the docs and try the redhat blogs before asking a question here. specifically i find that piece of docs vague and not enough of a worked example to solve realworld problems. that could just be me but in case someone else is at my level I think a worked example answer would help the community. – simbo1905 Jun 13 '18 at 06:25
0

There is a good example in the Helm template for openshift which grants write access to configmaps. All the default roles are shown with oc describe clusterPolicy default which is a good starting place write a new role similar to an existing one. In my case, the existing role registry-editor was what I need to automate promotions by tagging images and pulling upstream patches from the RedHat container catalogue.

Update:

Here is how to create a local role that can start an openshift build:

oc create role buildinstantiate --verb=create --resource=buildconfigs.build.openshift.io/instantiate -n hubot

oc adm policy add-role-to-user buildinstantiate myuser --role-namespace=hubot -n hubot

simbo1905
  • 6,321
  • 5
  • 58
  • 86