Changing the owner of an OpenShift project

3 minute read Jens Reimann
29 July 2019
Infrastructure

#openshift

Today I wanted to change the owner of an OpenShift project. It actually is rather trivial. However finding out how, wasn’t so easy. Googling didn’t help much, and also the documentation has room for improvement. So I took a few minutes to document how it works.

Pre-requisites

Of course you need to start with a user that already has access to the project. I will assume that you have the oc command installed, and are logged on to your cluster. Also I will assume that your new user is newuser and the project name is test.

Making the change

The access to the project is tied to the cluster role admin for the project. Each project has a “role binding” (not a “cluster role binding”) named admin, which binds the “cluster role” admin to the user, for a specific project.

Assuming that the user admin created the project test, doing oc -n test rolebinding admin -o yaml would give you:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: admin
  namespace: test
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: admin

Now you can simply replace (or add) the subject in the subjects list. Moving the project over to newuser would look like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: admin
  namespace: test
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: newuser

The one liner

The oc command line tool can actually do this for you with a single call:

oc policy add-role-to-user admin newuser -n test

Of course this only adds the new user, but you can also remove the old user by:

oc policy remove-role-from-user admin olduser -n test

One more thing

When you take a look at the list of projects in the Web UI, you will still see the old user as the “requester”:

Web UI project list

This information is read from the annotation openshift.io/requester from the “project”:

apiVersion: project.openshift.io/v1
kind: Project
metadata:
  annotations:
    openshift.io/description: ""
    openshift.io/display-name: ""
    openshift.io/requester: admin
  name: test
…

Unfortunately OpenShift considers the project information immutable. However the OpenShift “project” is backed by the Kubernetes “namespace”, which has the same annotation and it allows editing. So you can change the “requester” there, and it will be reflected in the project as well.