Today I wanted to change the owner of an OpenShift project. It actually is rather trivial. However finding out how, wasn’t so easy. Googling didn’t help much, and also the documentation has room for improvement. So I took a few minutes to document how it works.
Of course you need to start with a user that already has access to the project. I will assume that you have the
oc command installed, and are logged on to your cluster. Also I will assume that your new user is
newuser and the project name is
Making the change
The access to the project is tied to the cluster role
admin for the project. Each project has a “role binding” (not a “cluster role binding”) named
admin, which binds the “cluster role”
admin to the user, for a specific project.
Assuming that the user
admin created the project
oc -n test rolebinding admin -o yaml would give you:
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: admin namespace: test roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: admin
Now you can simply replace (or add) the subject in the
subjects list. Moving the project over to
newuser would look like this:
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: admin namespace: test roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: newuser
The one liner
oc command line tool can actually do this for you with a single call:
oc policy add-role-to-user admin newuser -n test
Of course this only adds the new user, but you can also remove the old user by:
oc policy remove-role-from-user admin olduser -n test
One more thing
When you take a look at the list of projects in the Web UI, you will still see the old user as the “requester”:
This information is read from the annotation
openshift.io/requester from the “project”:
apiVersion: project.openshift.io/v1 kind: Project metadata: annotations: openshift.io/description: "" openshift.io/display-name: "" openshift.io/requester: admin name: test …
Unfortunately OpenShift considers the project information immutable. However the OpenShift “project” is backed by the Kubernetes “namespace”, which has the same annotation and it allows editing. So you can change the “requester” there, and it will be reflected in the project as well.
2 thoughts on “Changing the owner of an OpenShift project”
Nice article, but is your remove OC command correct? It seems identical to the add command…
You are absolutely correct! Copy and paste :-) Thanks for reporting this. Just fixed it!