cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
alleb
Mission Specialist
Mission Specialist
‎08-18-2022 09:06 PM
  • 11.1K Views

How to list groups

Jump to solution

While doing the DO280 course one of the guided labs has us remove the self-provisioners cluster role from the system:authenticated:oauth virtual group and then later add it back.

Is there a way to find these system groups with the oc command?  oc get group doesn't list them, and oc adm groups doesn't have a list option.

I'm not sure if I'm missing something or if this type of group is something that you can only know about through documentation?

Labels (1)
Labels
Join the discussion
2 Solutions

Accepted Solutions
Natalie_Lind
Flight Engineer
Flight Engineer
‎08-19-2022 04:33 PM
  • 11K Views

Jump to solution

These "groups" are a part of cluster roles and cluster role bindings. As a cluster admin, you can retrieve a list of cluster roles with the oc get clusterrole command. To retrieve only the "system:" cluster roles, you can use the oc get clusterrole | grep system: command.

If you want to view the cluster role bindings (the service accounts that are linked to the cluster roles), you can use the oc get clusterrolebindings command.

Finally, for a list of all cluster role bindings that contain "system:authenticated", you can output the oc get clusterolebindings command to JSON and then parse with JQ. More specifically, the oc get clusterrolebindings -o json | jq '.items[] | select(.subjects[].name | startswith("system:authenticated"))' command will return all cluster role bindings where the subject (or service account) contains "system:authenticated".

Natalie Watkins
Manager - Technical Training, OpenShift Platforms
Product & Technical Learning

View solution in original post

flozano
Moderator
Moderator
‎08-19-2022 05:11 PM
  • 11K Views

Jump to solution

Unfortunately there's no way of listing all groups (nor all users) in Kubernetes. "Subjects", be they users, groups, or something else, are not managed by standard Kubernetes APIs and are just string fields in many resources. It is up to the controllers enabled in your cluster how to interpret these strings and up to external authentication and authorization plugins how to define "valid" subjects and how they map to each other, for example which groups a user is member of.

OpenShift includes an OAuth server and the group, user, and identity resources that exist in OpenShift relate to that internal OAuth server and are not standard Kubernetes resource. You might not be using any of them, for example if your cluster is configured to delegate authentication to an external OIDC server.

Natalie shows an indirect way of getting such lists of users and groups, by finding the string values in other resources. As a Kubernetes administrator, you can assign whatever string value to the attributes of these resources. If no controller understand that string, it'll be just ignored so you could easy create a role binding that grants no one any permission because no one is mapped to these strings. Kubernetes would not know you're referencing a non-existent user or group.

Some users and groups with the 'system:" prefix are hard-coded in Kubernetes, that is, by the standard set of controllers that you get with Kubernetes. You can see partials listing of them scattered around the Kubernetes documentation, for example:

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects

Some roles and rolebindings are also hardcoded in Kubernetes and extension controllers, so just listing all clusterrolebindings and project-scoped rolebindins will not give you the complete picture of what a user (or app service account) can do and cannot do.

If can list what you can do, at a somewhat low level, using the command:

$ kubectl auth can-i --list

And of course you could use "oc" in place of "kubectl" above.

View solution in original post

10 Replies
Natalie_Lind
Flight Engineer
Flight Engineer
‎08-19-2022 04:33 PM
  • 11K Views

Jump to solution

These "groups" are a part of cluster roles and cluster role bindings. As a cluster admin, you can retrieve a list of cluster roles with the oc get clusterrole command. To retrieve only the "system:" cluster roles, you can use the oc get clusterrole | grep system: command.

If you want to view the cluster role bindings (the service accounts that are linked to the cluster roles), you can use the oc get clusterrolebindings command.

Finally, for a list of all cluster role bindings that contain "system:authenticated", you can output the oc get clusterolebindings command to JSON and then parse with JQ. More specifically, the oc get clusterrolebindings -o json | jq '.items[] | select(.subjects[].name | startswith("system:authenticated"))' command will return all cluster role bindings where the subject (or service account) contains "system:authenticated".

Natalie Watkins
Manager - Technical Training, OpenShift Platforms
Product & Technical Learning
flozano
Moderator
Moderator
‎08-19-2022 05:11 PM
  • 11K Views

Jump to solution

Unfortunately there's no way of listing all groups (nor all users) in Kubernetes. "Subjects", be they users, groups, or something else, are not managed by standard Kubernetes APIs and are just string fields in many resources. It is up to the controllers enabled in your cluster how to interpret these strings and up to external authentication and authorization plugins how to define "valid" subjects and how they map to each other, for example which groups a user is member of.

OpenShift includes an OAuth server and the group, user, and identity resources that exist in OpenShift relate to that internal OAuth server and are not standard Kubernetes resource. You might not be using any of them, for example if your cluster is configured to delegate authentication to an external OIDC server.

Natalie shows an indirect way of getting such lists of users and groups, by finding the string values in other resources. As a Kubernetes administrator, you can assign whatever string value to the attributes of these resources. If no controller understand that string, it'll be just ignored so you could easy create a role binding that grants no one any permission because no one is mapped to these strings. Kubernetes would not know you're referencing a non-existent user or group.

Some users and groups with the 'system:" prefix are hard-coded in Kubernetes, that is, by the standard set of controllers that you get with Kubernetes. You can see partials listing of them scattered around the Kubernetes documentation, for example:

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects

Some roles and rolebindings are also hardcoded in Kubernetes and extension controllers, so just listing all clusterrolebindings and project-scoped rolebindins will not give you the complete picture of what a user (or app service account) can do and cannot do.

If can list what you can do, at a somewhat low level, using the command:

$ kubectl auth can-i --list

And of course you could use "oc" in place of "kubectl" above.

Akhil1402
Cadet
Cadet
2 weeks ago
  • 551 Views

Jump to solution

Hello All

Am not list users or group which are created getting below error.

can someone let me know why am not able to list it and how to fix the error.

openshift@localhost:~$ oc get users
Error from server (NotFound): Unable to list "users": the server could not find the requested resource

openshift@localhost:~$ oc get groups
Error from server (NotFound): Unable to list "groups": the server could not find the requested resource

TudorRaduta
Community Manager
Community Manager
2 weeks ago
  • 539 Views

Jump to solution

@Akhil1402 check if the resource exists

Akhil1402
Cadet
Cadet
2 weeks ago
  • 506 Views

Jump to solution

@TudorRaduta here the status showing in resource was false state. 

The issue which am facing was due to that. ?

api_resources.png

0 Kudos
Chetan_Tiwary_
Community Manager
Community Manager
2 weeks ago
  • 533 Views

Jump to solution

@Akhil1402 please provide the following input :

#oc whoami

#oc version

 

You should be login as cluster admin to get the users and groups.

0 Kudos
flozano
Moderator
Moderator
2 weeks ago
  • 516 Views

Jump to solution

In addition to being logged in with cluster-admin rights, you need a cluster which actually uses user and group resources from OpenShift Authentication.

If your cluster is setup to use an external OIDC provider, there will be no group resources (I guess a user for the logged in user will be created). Group membership will be checked against the OIDC token claims.

Akhil1402
Cadet
Cadet
2 weeks ago
  • 506 Views

Jump to solution

Hello @Chetan_Tiwary_ 

please find the output of both the commands. I logged in with kubeadmin user.

openshift@localhost:~$ oc whoami
kube:admin
openshift@localhost:~$ oc version
oc v3.10.0+dd10d17
kubernetes v1.10.0+b81c8f8
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://api.ocp4.mylab.local:6443
kubernetes v1.31.11
openshift@localhost:~$

flozano
Moderator
Moderator
2 weeks ago
  • 478 Views

Jump to solution

From the outputs, I see you're using an OpenShift 3 (Kubernetes 1.10)  client with an OpenShift 4 cluster (Kubernetes 1.31). Kubernetes (and consequently OpenShift) do not guarantee compatibility of clients with clusters more than two MINOR releases higher.

Please get an OpenShift client that matches your OpenShift cluster release and try again.

Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright ?2025 Red Hat, Inc. Privacy policy Terms of use