difference between "add-cluster-role-to-group" and...

Steve_Zeng · ‎01-17-2024

Hi,

in DO280 lab "Section 10.1: Comprehensive Review", the requirement is:

As the do280-support user, you must create the do280-attendees group with the do280-attendee user, and assign the edit cluster role to the do280-attendees group.

it sounds like to assign the cluster role "edit" to the group, however, the solution is:

$ oc adm policy \
  add-role-to-group edit do280-attendees -n do280

what is the difference between the two and why the solution use add-role-to-group? is it because of the namespace parameter in use or the do280-support user in use?

Thanks,

Steve Zeng

Wasim_Raja · ‎01-23-2024

@Steve_Zeng Thanks for reaching out.

The add-role-to-group command is used to add a role to a group of users. This command is used when you want to grant a specific role to a group of users across all namespaces. The edit cluster role is a pre-defined role that grants users the ability to edit resources in a namespace. This role can be used to grant edit access to a group of users across all namespaces.

steven3 · ‎01-23-2024

Hello,

In my opinion, your explanation is not correct. According to the documentation:

oc adm policy add-cluster-role-to-group <role> <groupname> -> Binds a given role to specified groups for all projects in the cluster.

oc adm policy add-role-to-group <role> <groupname> -> Binds a given role to specified groups in the current project.

Please check:
https://docs.openshift.com/container-platform/4.12/authentication/using-rbac.html#cluster-role-bindi...
https://docs.openshift.com/container-platform/4.12/authentication/using-rbac.html#local-role-binding...

Also from the naming of the command, cluster-role-to-group -> clusterrolebinding -> across all namespaces, role-to-group -> rolebinding -> on a single namespace.

Regards!

Wasim_Raja · ‎01-23-2024

@steven3 My bad, thanks for clarifying.

difference between "add-cluster-role-to-group" and "add-role-to-group"

DO280