cancel
Showing results for 
Search instead for 
Did you mean: 
Richard4
Mission Specialist
Mission Specialist
  • 684 Views

Openshift - oc adm policy vs oc policy

Hello

As a cluster user named admin, when I run the commnds below is there a difference in the end result? I am questioning the "oc adm policy" versus "oc policy". 

oc adm policy add-role-to-user admin tom -n games

oc policy add-role-to-user admin tom -n games

 

The main difference is that oc adm policy is for cluster admins while the oc policy  is for project admins ?

Labels (1)
2 Replies
Wasim_Raja
Moderator
Moderator
  • 656 Views

@Richard4 Thanks for reaching out.

Yes, you are correct. The oc adm policy command is used by cluster administrators to manage cluster-wide policies, while the oc policy command is used by project administrators to manage policies within a project.

In your example, both commands will add the admin role to the user tom in the games project. However, the oc adm policy command is used to manage cluster-wide policies, while the oc policy command is used to manage policies within a project.

Chetan_Tiwary_
Moderator
Moderator
  • 600 Views

Hello @Richard4 !

Thanks for reaching out!

In all the latest official docs I can see only oc adm command :

Chetan_Tiwary__5-1702657500534.png

https://docs.openshift.com/container-platform/4.12/authentication/using-rbac.html 

Recall - 

Take a look at this diagram : 

Chetan_Tiwary__2-1702656805130.png

 

 

 

Chetan_Tiwary__0-1702656625048.png

 

Cluster Role Binding maps a user, group or service account to a Cluster Role which will have policies that allow certain actions (such as create or delete or list) on certain resources (such as deployments, pods).

Role Bindings maps a user, group or service account to a Role or to a Cluster Role which will have policies that allow certain actions (such as create or delete or list) on certain resources (such as deployments, pods).

oc .....add-role-to-user  is a local binding of a role in a specific project.

oc ....add-cluster-role-to-user is a cluster wide role binding. 

Chetan_Tiwary__3-1702657135175.png

Chetan_Tiwary__4-1702657335847.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Join the discussion
You must log in to join this conversation.