Grant users access to projects/namespaces in OpenShift

You can download this article in PDF format via the link below to support us.

Download the guide in PDF format

turn off


Projects in OpenShift are units of isolation and collaboration. In order for developers to deploy applications, they need to be members of the project. In a project, members may have different roles-administrator, edit, view, etc. As a project administrator, you can add users to the cluster and assign specific permissions to them. The following are the predefined roles in OpenShift.

  • edit: Users who can modify most objects in the project but have no right to view or modify roles or bindings.
  • administrator: The administrator user has the right to view and modify any resources in the project (except quotas).
  • Cluster administrator: Super user who can perform any operation in any project. When bound to have Local binding, they have fully control Exceeding the quota and every operation on each resource in the project.
  • Basic user: Users who can obtain basic information about projects and users.
  • Cluster status: Users who can obtain basic cluster status information.
  • Self-supplier: Users who can create their own projects.
  • view: Users who cannot make any changes, but can see most objects in the project. They cannot view or modify roles or bindings.

In this short guide, we will create a test project, users, and grant them access to the created project. One of the users will only be able to view the access rights of the cluster, and one user should be able to edit all resources in the namespace/project.

Create a project on OpenShift

Create a project on OpenShift. This can be done on the CLI or web console.

$ oc new-project test
Now using project "test" on server "".

You can then list all available items to confirm that the item we just created is available.

$ oc get projects

Grant users access to OpenShift projects

Before granting users access to Project, you should have granted users access to the OpenShift cluster. In OpenShift, multiple providers can be used to verify user identity. We recently created an article on using HTPasswd to manage OpenShift cluster users.

Use HTPasswd identity provider to manage OpenShift/OKD users

You can use the oc get users command to get the list of users who have logged in to the cluster:

$ oc get users
JKMUTAI     17a06002-b543-4fa9-bfa8-92e510646d0a   Josphat Mutai                HTPasswd: Q049Sm9zcGhhdCBNdXRhaSxPVT1TYWZhcmljb20gRGVwYXJ0bWVudHMsREM9c2FmYXJpY29tLERDPW5ldA

Use role binding to grant users access to projects. The syntax used is:

$ oc adm policy add-role-to-user   -n 

To assign the JKMUTAI user editing role in the test project, I will run the following command.

$ oc adm policy add-role-to-user edit JKMUTAI -n test added: "JKMUTAI"

For cluster roles, use the following command:

$ oc adm policy add-cluster-role-to-user edit JKMUTAI -n test

To remove a role from a user, use:

$ oc adm policy remove-role-from-user   -n 
$ oc adm policy remove-cluster-role-from-user   -n 

If you want to get a list of users who have access to the project, run the following command:

$ oc get rolebindings -n 
$ oc get rolebindings  -n 

Sample output:

You can log in from CLI or console and confirm that you can switch to the project for application deployment.

$ oc login

Use the following command to switch to the project:

$ oc project test
Already on project "test" on server "".

Deploy the test application.

oc apply -f - <debian
    command: ["printenv"]
  restartPolicy: OnFailure

Confirm that the container is running:

$ oc get pods


Grant users access to projects/namespaces in OpenShift

More information about OpenShift:

Configure Chrony NTP service on OpenShift 4.x / OKD 4.x

How to allow insecure registry in OpenShift/OKD 4.x cluster

How to check Pod/container metrics on OpenShift and Kubernetes

You can download this article in PDF format via the link below to support us.

Download the guide in PDF format

turn off