Richard4
Mission Specialist
Mission Specialist
  • 1,617 Views

Openshift - oc adm policy vs oc policy

Hello

As a cluster user named admin, when I run the commnds below is there a difference in the end result? I am questioning the "oc adm policy" versus "oc policy". 

oc adm policy add-role-to-user admin tom -n games

oc policy add-role-to-user admin tom -n games

 

The main difference is that oc adm policy is for cluster admins while the oc policy  is for project admins ?

Labels (1)
4 Replies
Wasim_Raja
Moderator
Moderator
  • 1,589 Views

@Richard4 Thanks for reaching out.

Yes, you are correct. The oc adm policy command is used by cluster administrators to manage cluster-wide policies, while the oc policy command is used by project administrators to manage policies within a project.

In your example, both commands will add the admin role to the user tom in the games project. However, the oc adm policy command is used to manage cluster-wide policies, while the oc policy command is used to manage policies within a project.

Chetan_Tiwary_
Moderator
Moderator
  • 1,533 Views

Hello @Richard4 !

Thanks for reaching out!

In all the latest official docs I can see only oc adm command :

Chetan_Tiwary__5-1702657500534.png

https://docs.openshift.com/container-platform/4.12/authentication/using-rbac.html 

Recall - 

Take a look at this diagram : 

Chetan_Tiwary__2-1702656805130.png

 

 

 

Chetan_Tiwary__0-1702656625048.png

 

Cluster Role Binding maps a user, group or service account to a Cluster Role which will have policies that allow certain actions (such as create or delete or list) on certain resources (such as deployments, pods).

Role Bindings maps a user, group or service account to a Role or to a Cluster Role which will have policies that allow certain actions (such as create or delete or list) on certain resources (such as deployments, pods).

oc .....add-role-to-user  is a local binding of a role in a specific project.

oc ....add-cluster-role-to-user is a cluster wide role binding. 

Chetan_Tiwary__3-1702657135175.png

Chetan_Tiwary__4-1702657335847.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

AlanAguinaga2
Mission Specialist
Mission Specialist
  • 602 Views

I have this doubt too. Some people and some IAs are responding like this first answer but in documentation shows to use "adm". 

Add a role to a user in a specific project:

oc adm policy add-role-to-user -n namespace

add and remove roles

  • oc adm policy add-cluster-role-to-user ROLE USERNAME
  • oc adm policy remove-cluster-role-from-user <role> <username>
  • oc adm policy add-cluster-role-to-group <role> <groupname>
  • oc adm policy remove-cluster-role-from-group <role> <groupname>
  • oc adm policy add-cluster-role-to-user cluster-admin <user>
 
Chetan_Tiwary_
Moderator
Moderator
  • 541 Views

Yes @AlanAguinaga2 as per the official doc,  oc adm is the preferred command now.

0 Kudos
Join the discussion
You must log in to join this conversation.