How to Create a Cluster Admin User in OpenShift, the Easy Way

In any given week, I find myself spinning up at least one temporary OpenShift cluster and destroying it again.

Often, I need to find a way to create an extra cluster-admin user on this cluster, so I’m allowed to do privileged stuff. Like running a demo. Or debugging a Helm chart. Or writing a blog :)

So if you want to create an OpenShift user and grant it cluster-admin, how do you do it?

Here’s the simplest way I’ve found for creating a cluster-admin user on an OpenShift cluster.

By the way, you’ll need to be logged on to OpenShift as a cluster-admin user to be able to do this. When you install a cluster, you will be given the password to the kubeadmin account, which is basically like a root account. If you don’t have it, you’ll need to find a cluster-admin who can do this for you.

You don’t create a user in OpenShift directly

The thing to know about OpenShift is that you don’t create users in it directly.

Instead, OpenShift hands off to an identity provider to verify who you are.

You can plug in a few different identify providers, from the simple to the very complex. The provider list includes things like LDAP, OpenID, and many others.

But I think the simplest provider – by far – is htpasswd.

htpasswd is just a simple file, containing usernames and passwords. It doesn’t need any complex install or setup.

Read on, and I’ll show you how to use the htpasswd provider to create some admin users for your OpenShift cluster.

Heads-up! I wouldn’t set this up in a production cluster. It’s rather insecure. Users can’t easily change their own passwords with this method, and any admin can just go in and read the contents of the htpasswd file….

So just use this tip for development/training purposes.

How to Create cluster-admin Users with htpasswd

Create the htpasswd file and an OAuth provider

You’ll need the htpasswd command for this. If you don’t have the htpasswd command on your host, run this command on a server that has it installed, or install the package yourself.

First, on your host, create an empty htpasswd file.

touch htpasswd

Next, use the htpasswd command to add users and passwords to the file.

htpasswd -Bb htpasswd tom mypassword
htpasswd -Bb htpasswd cyrilsneer supers3cr3t
htpasswd -Bb htpasswd rosemary bl0bbybl0bby
htpasswd -Bb htpasswd mufasa nastyman

Now, create a Secret in the openshift-config project. This contains the complete contents of the htpasswd file, so that OpenShift can read it to authenticate a username and password:

oc --user=admin create secret generic htpasswd \
    --from-file=htpasswd \ 
    -n openshift-config

Now create the OAuth custom resource in the cluster, configuring just 1 identity provider, htpasswd. This references the Secret you just created above:

oc replace -f - <<API
kind: OAuth
  name: cluster
  - name: Local Password
    mappingMethod: claim
    type: HTPasswd
        name: htpasswd

OpenShift will now use the htpasswd file to authenticate users!

But we can’t go on our merry way yet. Like Dracula, we must be invited in.

So next, we’ll create a group for our admin users, and grant cluster-admin privileges to the group.

Create a Group and add Users to it

We’ve created our htpasswd authentication provider, but we still need to tell OpenShift which users should have cluster-admin access.

Let’s create a group for our admin users:

oc adm groups new mylocaladmins

Add the users into the group:

oc adm groups add-users mylocaladmins tom rosemary

Finally, grant the cluster-admin role to the group:

oc adm policy add-cluster-role-to-group cluster-admin mylocaladmins


Next Steps

Follow these commandments for being a cluster admin:

Rule #0: Remove the default kubeadmin user.

Rule #1: Have fun with your awesome and exquisite new-found power.

Rule #2: Be a benevolent dictator.

Rule #3: Don’t do anything I wouldn’t do.

If you’re itching to learn something else next, how about learning how Pods communicate in Kubernetes?

Tom Donohue

By Tom Donohue, Editor | Twitter | LinkedIn

Tom is the founder of Tutorial Works. He’s an engineer and open source advocate. He uses the blog as a vehicle for sharing tutorials, writing about technology and talking about himself in the third person. His very first computer was an Acorn Electron.

Join the discussion

Got some thoughts on what you've just read? Want to know what other people think? Or is there anything technically wrong with the article? (We'd love to know so that we can correct it!) Join the conversation and leave a comment.

Comments are moderated.