How to Create a Cluster Admin User in OpenShift, the Easy Way

In any given week, I find myself spinning up at least one temporary OpenShift cluster and destroying it again.

Often, I need to find a way to create an extra cluster-admin user on this cluster, so I’m allowed to do privileged stuff. Like running a demo. Or debugging a Helm chart. Or writing a blog :)

So if you want to create an OpenShift user and grant it cluster-admin, how do you do it?

Here’s the simplest way I’ve found for creating a cluster-admin user on an OpenShift cluster.

You don’t create a user in OpenShift directly

The thing to know about OpenShift is that you don’t create users in it directly.

Instead, OpenShift hands off to an identity provider to verify who you are.

You can plug in a few different identify providers, from the simple to the very complex. The provider list includes things like LDAP, OpenID, and many others.

But I think the simplest provider – by far – is htpasswd.

htpasswd is just a simple file, containing usernames and passwords. It doesn’t need any complex install or setup.

Read on, and I’ll show you how to use the htpasswd provider to create some admin users for your OpenShift cluster.

How to Create cluster-admin Users with htpasswd

Create the htpasswd file and an OAuth provider

You’ll need the htpasswd command for this. If you don’t have the htpasswd command on your host, run this command on a server that has it installed, or install the package yourself.

First, on your host, create an empty htpasswd file.

touch htpasswd

Next, use the htpasswd command to add users and passwords to the file.

htpasswd -Bb htpasswd tom mypassword
htpasswd -Bb htpasswd cyrilsneer supers3cr3t
htpasswd -Bb htpasswd rosemary bl0bbybl0bby
htpasswd -Bb htpasswd mufasa nastyman

Now, create a Secret in the openshift-config project. This contains the complete contents of the htpasswd file, so that OpenShift can read it to authenticate a username and password:

oc --user=admin create secret generic htpasswd \
    --from-file=htpasswd \ 
    -n openshift-config

Now create the OAuth custom resource in the cluster, configuring just 1 identity provider, htpasswd. This references the Secret you just created above:

oc replace -f - <<API
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: Local Password
    mappingMethod: claim
    type: HTPasswd
    htpasswd:
      fileData:
        name: htpasswd
API

OpenShift will now use the htpasswd file to authenticate users!

But we can’t go on our merry way yet. Like Dracula, we must be invited in.

So next, we’ll create a group for our admin users, and grant cluster-admin privileges to the group.

Create a Group and add Users to it

We’ve created our htpasswd authentication provider, but we still need to tell OpenShift which users should have cluster-admin access.

Let’s create a group for our admin users:

oc adm groups new mylocaladmins

Add the users into the group:

oc adm groups add-users mylocaladmins tom rosemary

Finally, grant the cluster-admin role to the group:

oc adm policy add-cluster-role-to-group cluster-admin mylocaladmins

Simples!

Next Steps

Follow these commandments for being a cluster admin:

Rule #0: Remove the default kubeadmin user.

Rule #1: Have fun with your awesome and exquisite new-found power.

Rule #2: Be a benevolent dictator.

Rule #3: Don’t do anything I wouldn’t do.

If you’re itching to learn something else next, how about learning how Pods communicate in Kubernetes?