OKD ships with a set of default cluster roles that can be assigned locally or to the entire cluster. You can modify these roles for fine-grained access control to OKD resources, but additional steps are required that are outside the scope of this course.
|admin||Users with this role can manage all project resources, including granting access to other users to the project.|
|basic-user||Users with this role have read access to the project.|
|cluster-admin||Users with this role have superuser access to the cluster resources. These users can perform any action on the cluster, and have full control of all projects.|
|cluster-status||Users with this role can get cluster status information.|
|edit||Users with this role can create, change, and delete common application resources from the project, such as services and deployment configurations. These users cannot act on management resources such as limit ranges and quotas, and cannot manage access permissions to the project.|
|self-provisioner||Users with this role can create new projects. This is a cluster role, not a project role.|
|view||Users with this role can view project resources, but cannot modify project resources.|
The admin role gives a user access to project resources such as quotas and limit ranges, and also the ability to create new applications. The edit role gives a user sufficient access to act as a developer inside the project, but working under the restraints configured by a project administrator.
Add a specified role to a user with the add-role-to-user subcommand. For example:
oc adm policy add-role-to-user role-name username -n project
For example, to add the user dev to the role basic-user in the wordpress project:
oc adm policy add-role-to-user basic-user dev -n wordpress