openshiftopenshift-3openshift-online

How do I grant a user the ability to tag images in OpenShift Online Pro?

I have set up a collaborator account with the role "view". I now want to grant this user the ability to tag images using oc tag.

Following these instructions I have: 

oc get clusterrole view -o yaml > role_edittags.yaml
# 1. Update kind: ClusterRole to kind: Role
# 2. Update name: view to name: edittags
# 3. Remove resourceVersion, selfLink, uid, and creationTimestamp
# 4. split up the section with {imagestreamimages,imagestreammappings,imagestreams,imagestreamtags} into two sections:
- apiGroups:
  - image.openshift.io
  - ""
  attributeRestrictions: null
  resources:
  - imagestreamimages
  - imagestreammappings
  - imagestreams
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - image.openshift.io
  - ""
  attributeRestrictions: null
  resources:
  - imagestreamtags
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - deletecollection

I then oc project into the project where I want to grant the role and import it with:

$ oc create -f role_edittags.yaml role "edittags" created

When I try to grant it to the user I get an error:

$ oc policy add-role-to-user edittags myuser Error from server (NotFound): rolebindings.authorization.openshift.io "edittags" not found

How do I grant oc tag permissions to a user?

Thanks!

update:

I found a pre-existing role registry-editor listed in "example 1" on the link above that does the job:

$ oc policy add-role-to-user registry-editor myuser role "registry-editor" added: "myuser"

I am still curious to know how I might create a custom role if there isn't a ready made one. Thanks again!

Solution

  • There is a good example in the Helm template for openshift which grants write access to configmaps. All the default roles are shown with oc describe clusterPolicy default which is a good starting place write a new role similar to an existing one. In my case, the existing role registry-editor was what I need to automate promotions by tagging images and pulling upstream patches from the RedHat container catalogue.

    Update:

    Here is how to create a local role that can start an openshift build:

    oc create role buildinstantiate --verb=create --resource=buildconfigs.build.openshift.io/instantiate -n hubot

    oc adm policy add-role-to-user buildinstantiate myuser --role-namespace=hubot -n hubot