Red Hat SummitChapter 4. Authorization
4.1. Overview
This topic contains authorization tasks for application developers and their capabilities, as dictated by the cluster administrator.
4.2. Checking If Users Can Create Pods
Using the scc-review and scc-subject-review options, you can see if an individual user, or a user under a specific service account, can create or update a pod.
Using the scc-review option, you can check if a service account can create or update a pod. The command outputs the security context constraints that admit the resource.
For example, to check if a user with the system:serviceaccount:projectname:default service account can a create a pod:
oc policy scc-review -z system:serviceaccount:projectname:default -f my_resource.yaml
$ oc policy scc-review -z system:serviceaccount:projectname:default -f my_resource.yaml
You can also use the scc-subject-review option to check whether a specific user can create or update a pod:
oc policy scc-subject-review -u <username> -f my_resource.yaml
$ oc policy scc-subject-review -u <username> -f my_resource.yamlTo check if a user belonging to a specific group can create a pod in a specific file:
oc policy scc-subject-review -u <username> -g <groupname> -f my_resource.yaml
$ oc policy scc-subject-review -u <username> -g <groupname> -f my_resource.yaml4.3. Determining What You Can Do as an Authenticated User
From within your OpenShift Container Platform project, you can determine what verbs you can perform against all namespace-scoped resources (including third-party resources).
The can-i command option tests scopes in terms of the user and role.
oc policy can-i --list --loglevel=8
$ oc policy can-i --list --loglevel=8The output helps you to determine what API request to make to gather the information.
To receive information back in a user-readable format, run:
oc policy can-i --list
$ oc policy can-i --listThe output provides a full list.
To determine if you can perform specific verbs, run:
oc policy can-i <verb> <resource>
$ oc policy can-i <verb> <resource>User scopes can provide more information about a given scope. For example:
oc policy can-i <verb> <resource> --scopes=user:info
$ oc policy can-i <verb> <resource> --scopes=user:info
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}