How to Create a Cluster Admin User in OpenShift, the Easy Way
In any given week, I find myself spinning up at least one temporary OpenShift cluster and destroying it again.
Often, I need to find a way to create an extra cluster-admin user on this cluster, so I’m allowed to do privileged stuff. Like running a demo. Or debugging a Helm chart. Or writing a blog :)
So if you want to create an OpenShift user and grant it cluster-admin, how do you do it?
Here’s the simplest way I’ve found for creating a cluster-admin user on an OpenShift cluster.
By the way, you’ll need to be logged on to OpenShift as a cluster-admin user to be able to do this. When you install a cluster, you will be given the password to the kubeadmin account, which is basically like a root account. If you don’t have it, you’ll need to find a cluster-admin who can do this for you.
You don’t create a user in OpenShift directly
The thing to know about OpenShift is that you don’t create users in it directly.
Instead, OpenShift hands off to an identity provider to verify who you are.
You can plug in a few different identify providers, from the simple to the very complex. The provider list includes things like LDAP, OpenID, and many others.
But I think the simplest provider – by far – is htpasswd.
htpasswd is just a simple file, containing usernames and passwords. It doesn’t need any complex install or setup.
Read on, and I’ll show you how to use the htpasswd provider to create some admin users for your OpenShift cluster.
Heads-up! I wouldn’t set this up in a production cluster. It’s rather insecure. Users can’t easily change their own passwords with this method, and any admin can just go in and read the contents of the htpasswd file….
So just use this tip for development/training purposes.
How to Create cluster-admin Users with htpasswd
Create the htpasswd file and an OAuth provider
You’ll need the htpasswd command for this. If you don’t have the htpasswd command on your host, run this command on a server that has it installed, or install the package yourself.
First, on your host, create an empty htpasswd file.
touch htpasswd
Next, use the htpasswd command to add users and passwords to the file.
htpasswd -Bb htpasswd tom mypassword
htpasswd -Bb htpasswd cyrilsneer supers3cr3t
htpasswd -Bb htpasswd rosemary bl0bbybl0bby
htpasswd -Bb htpasswd mufasa nastyman
Now, create a Secret in the openshift-config project. This contains the complete contents of the htpasswd file, so that OpenShift can read it to authenticate a username and password:
oc --user=admin create secret generic htpasswd \
--from-file=htpasswd \
-n openshift-config
Now create the OAuth custom resource in the cluster, configuring just 1 identity provider, htpasswd. This references the Secret you just created above:
oc replace -f - <<API
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: Local Password
mappingMethod: claim
type: HTPasswd
htpasswd:
fileData:
name: htpasswd
API
OpenShift will now use the htpasswd file to authenticate users!
But we can’t go on our merry way yet. Like Dracula, we must be invited in.
So next, we’ll create a group for our admin users, and grant cluster-admin privileges to the group.
Create a Group and add Users to it
We’ve created our htpasswd authentication provider, but we still need to tell OpenShift which users should have cluster-admin access.
Let’s create a group for our admin users:
oc adm groups new mylocaladmins
Add the users into the group:
oc adm groups add-users mylocaladmins tom rosemary
Finally, grant the cluster-admin role to the group:
oc adm policy add-cluster-role-to-group cluster-admin mylocaladmins
Simples!
Next Steps
Follow these commandments for being a cluster admin:
Rule #0: Remove the default kubeadmin user.
Rule #1: Have fun with your awesome and exquisite new-found power.
Rule #2: Be a benevolent dictator.
Rule #3: Don’t do anything I wouldn’t do.
If you’re itching to learn something else next, how about learning how Pods communicate in Kubernetes?