0
# Security and Access Control
1
2
Comprehensive RBAC and security management including roles, users, groups, OAuth, and access reviews. Covers both namespace-scoped and cluster-scoped security resources with OpenShift-specific enhancements.
3
4
## Capabilities
5
6
### User and Identity Management
7
8
OpenShift user and identity management with support for multiple identity providers and user-to-identity mappings.
9
10
```java { .api }
11
/**
12
* Access to User resources (user.openshift.io/v1)
13
* User accounts in the OpenShift cluster
14
*/
15
NonNamespaceOperation<User, UserList, Resource<User>> users();
16
17
/**
18
* Access to Group resources (user.openshift.io/v1)
19
* User groups for organizing users and permissions
20
*/
21
NonNamespaceOperation<Group, GroupList, Resource<Group>> groups();
22
23
/**
24
* Access to Identity resources (user.openshift.io/v1)
25
* Identity provider mappings for users
26
*/
27
NonNamespaceOperation<Identity, IdentityList, Resource<Identity>> identities();
28
29
/**
30
* Access to UserIdentityMapping operations (user.openshift.io/v1)
31
* Map users to identity provider identities
32
*/
33
InOutCreateable<UserIdentityMapping, UserIdentityMapping> userIdentityMappings();
34
```
35
36
**Usage Examples:**
37
38
```java
39
// List all users
40
UserList users = client.users().list();
41
42
// Get current user
43
User currentUser = client.currentUser();
44
System.out.println("Current user: " + currentUser.getMetadata().getName());
45
46
// List user groups
47
List<String> userGroups = currentUser.getGroups();
48
49
// Get specific user
50
User specificUser = client.users().withName("developer").get();
51
52
// List groups
53
GroupList groups = client.groups().list();
54
55
// Create user-identity mapping
56
UserIdentityMapping mapping = new UserIdentityMappingBuilder()
57
.withUser(new ObjectReferenceBuilder()
58
.withName("developer")
59
.build())
60
.withIdentity(new ObjectReferenceBuilder()
61
.withName("htpasswd:developer")
62
.build())
63
.build();
64
65
client.userIdentityMappings().create(mapping);
66
```
67
68
### Role-Based Access Control
69
70
OpenShift RBAC system with roles, role bindings, and cluster-level permissions management.
71
72
```java { .api }
73
/**
74
* Access to Role resources (authorization.openshift.io/v1)
75
* Namespace-scoped roles defining permissions
76
*/
77
MixedOperation<Role, RoleList, Resource<Role>> roles();
78
79
/**
80
* Access to RoleBinding resources (authorization.openshift.io/v1)
81
* Bind roles to users, groups, or service accounts in namespaces
82
*/
83
MixedOperation<RoleBinding, RoleBindingList, Resource<RoleBinding>> roleBindings();
84
85
/**
86
* Access to ClusterRole resources (authorization.openshift.io/v1)
87
* Cluster-scoped roles with cluster-wide permissions
88
*/
89
NonNamespaceOperation<ClusterRole, ClusterRoleList, Resource<ClusterRole>> clusterRoles();
90
91
/**
92
* Access to ClusterRoleBinding resources (authorization.openshift.io/v1)
93
* Bind cluster roles to users, groups, or service accounts cluster-wide
94
*/
95
MixedOperation<ClusterRoleBinding, ClusterRoleBindingList, Resource<ClusterRoleBinding>> clusterRoleBindings();
96
97
/**
98
* Access to RoleBindingRestriction resources (authorization.openshift.io/v1)
99
* Restrict role binding creation in namespaces
100
*/
101
MixedOperation<RoleBindingRestriction, RoleBindingRestrictionList, Resource<RoleBindingRestriction>> roleBindingRestrictions();
102
```
103
104
**Usage Examples:**
105
106
```java
107
// List roles in namespace
108
RoleList roles = client.roles().inNamespace("myproject").list();
109
110
// Create role
111
Role customRole = new RoleBuilder()
112
.withMetadata(new ObjectMetaBuilder()
113
.withName("pod-reader")
114
.withNamespace("myproject")
115
.build())
116
.addNewRule()
117
.withApiGroups("")
118
.withResources("pods")
119
.withVerbs("get", "list", "watch")
120
.endRule()
121
.build();
122
123
client.roles().inNamespace("myproject").create(customRole);
124
125
// Create role binding
126
RoleBinding binding = new RoleBindingBuilder()
127
.withMetadata(new ObjectMetaBuilder()
128
.withName("pod-readers")
129
.withNamespace("myproject")
130
.build())
131
.withRoleRef(new RoleRefBuilder()
132
.withName("pod-reader")
133
.withKind("Role")
134
.withApiGroup("authorization.openshift.io")
135
.build())
136
.addNewSubject()
137
.withKind("User")
138
.withName("developer")
139
.withApiGroup("rbac.authorization.k8s.io")
140
.endSubject()
141
.build();
142
143
client.roleBindings().inNamespace("myproject").create(binding);
144
145
// List cluster roles
146
ClusterRoleList clusterRoles = client.clusterRoles().list();
147
148
// Create cluster role binding
149
ClusterRoleBinding clusterBinding = new ClusterRoleBindingBuilder()
150
.withMetadata(new ObjectMetaBuilder()
151
.withName("cluster-readers")
152
.build())
153
.withRoleRef(new RoleRefBuilder()
154
.withName("cluster-reader")
155
.withKind("ClusterRole")
156
.withApiGroup("authorization.openshift.io")
157
.build())
158
.addNewSubject()
159
.withKind("Group")
160
.withName("developers")
161
.withApiGroup("rbac.authorization.k8s.io")
162
.endSubject()
163
.build();
164
165
client.clusterRoleBindings().create(clusterBinding);
166
```
167
168
### OAuth and Token Management
169
170
OpenShift OAuth system for authentication and token management.
171
172
```java { .api }
173
/**
174
* Access to OAuthAccessToken resources (oauth.openshift.io/v1)
175
* OAuth access tokens for API authentication
176
*/
177
NonNamespaceOperation<OAuthAccessToken, OAuthAccessTokenList, Resource<OAuthAccessToken>> oAuthAccessTokens();
178
179
/**
180
* Access to OAuthAuthorizeToken resources (oauth.openshift.io/v1)
181
* OAuth authorization tokens for authorization flows
182
*/
183
NonNamespaceOperation<OAuthAuthorizeToken, OAuthAuthorizeTokenList, Resource<OAuthAuthorizeToken>> oAuthAuthorizeTokens();
184
185
/**
186
* Access to OAuthClient resources (oauth.openshift.io/v1)
187
* OAuth client applications registered with OpenShift
188
*/
189
NonNamespaceOperation<OAuthClient, OAuthClientList, Resource<OAuthClient>> oAuthClients();
190
191
/**
192
* Access to OAuthClientAuthorization resources (oauth.openshift.io/v1)
193
* User authorization grants for OAuth clients
194
*/
195
NonNamespaceOperation<OAuthClientAuthorization, OAuthClientAuthorizationList, Resource<OAuthClientAuthorization>> oAuthClientAuthorizations();
196
197
/**
198
* Access to UserOAuthAccessToken resources (oauth.openshift.io/v1)
199
* User-specific OAuth access tokens (GET and DELETE only)
200
*/
201
NonNamespaceOperation<UserOAuthAccessToken, UserOAuthAccessTokenList, Resource<UserOAuthAccessToken>> userOAuthAccessTokens();
202
```
203
204
**Usage Examples:**
205
206
```java
207
// List OAuth clients
208
OAuthClientList clients = client.oAuthClients().list();
209
210
// Create OAuth client
211
OAuthClient oauthClient = new OAuthClientBuilder()
212
.withMetadata(new ObjectMetaBuilder()
213
.withName("my-app")
214
.build())
215
.withSecret("client-secret")
216
.withRedirectURIs("https://myapp.com/callback")
217
.withGrantMethod("auto")
218
.build();
219
220
client.oAuthClients().create(oauthClient);
221
222
// List user's OAuth access tokens
223
UserOAuthAccessTokenList userTokens = client.userOAuthAccessTokens().list();
224
225
// Revoke specific OAuth access token
226
client.oAuthAccessTokens().withName("token-name").delete();
227
```
228
229
### Security Context Constraints
230
231
OpenShift security context constraints for controlling pod security policies and runtime security.
232
233
```java { .api }
234
/**
235
* Access to SecurityContextConstraints resources (security.openshift.io/v1)
236
* Cluster-wide security policies for pod execution
237
*/
238
NonNamespaceOperation<SecurityContextConstraints, SecurityContextConstraintsList, Resource<SecurityContextConstraints>> securityContextConstraints();
239
240
/**
241
* Access to RangeAllocation resources (security.openshift.io/v1)
242
* UID/GID range allocations for projects
243
*/
244
NonNamespaceOperation<RangeAllocation, RangeAllocationList, Resource<RangeAllocation>> rangeAllocations();
245
```
246
247
**Usage Examples:**
248
249
```java
250
// List security context constraints
251
SecurityContextConstraintsList sccs = client.securityContextConstraints().list();
252
253
// Get specific SCC
254
SecurityContextConstraints restrictedSCC = client.securityContextConstraints()
255
.withName("restricted")
256
.get();
257
258
// Create custom SCC
259
SecurityContextConstraints customSCC = new SecurityContextConstraintsBuilder()
260
.withMetadata(new ObjectMetaBuilder()
261
.withName("custom-scc")
262
.build())
263
.withAllowHostDirVolumePlugin(false)
264
.withAllowHostIPC(false)
265
.withAllowHostNetwork(false)
266
.withAllowHostPID(false)
267
.withAllowPrivilegedContainer(false)
268
.withAllowedCapabilities()
269
.withDefaultAddCapabilities()
270
.withRequiredDropCapabilities("KILL", "MKNOD", "SETUID", "SETGID")
271
.withRunAsUser(new RunAsUserStrategyOptionsBuilder()
272
.withType("MustRunAsRange")
273
.build())
274
.withSeLinuxContext(new SELinuxContextStrategyOptionsBuilder()
275
.withType("MustRunAs")
276
.build())
277
.withUsers("system:serviceaccount:myproject:myapp")
278
.build();
279
280
client.securityContextConstraints().create(customSCC);
281
282
// List range allocations
283
RangeAllocationList ranges = client.rangeAllocations().list();
284
```
285
286
### Access Reviews and Authorization
287
288
OpenShift access review system for checking permissions and authorization decisions.
289
290
```java { .api }
291
/**
292
* Access to SubjectAccessReview operations (authorization.openshift.io/v1)
293
* Check if subjects can perform actions (create-only, returns response)
294
*/
295
InOutCreateable<SubjectAccessReview, SubjectAccessReviewResponse> subjectAccessReviews();
296
297
/**
298
* Access to ResourceAccessReview operations (authorization.openshift.io/v1)
299
* Check resource access permissions (create-only, returns response)
300
*/
301
InOutCreateable<ResourceAccessReview, ResourceAccessReviewResponse> resourceAccessReviews();
302
303
/**
304
* Access to LocalSubjectAccessReview operations (authorization.openshift.io/v1)
305
* Check namespace-scoped subject permissions (create-only, returns response)
306
*/
307
NamespacedInOutCreateable<LocalSubjectAccessReview, SubjectAccessReviewResponse> localSubjectAccessReviews();
308
309
/**
310
* Access to LocalResourceAccessReview operations (authorization.openshift.io/v1)
311
* Check namespace-scoped resource permissions (create-only, returns response)
312
*/
313
NamespacedInOutCreateable<LocalResourceAccessReview, ResourceAccessReviewResponse> localResourceAccessReviews();
314
315
/**
316
* Access to SelfSubjectRulesReview operations (authorization.openshift.io/v1)
317
* Check current user's permissions (create-only, returns response)
318
*/
319
NamespacedInOutCreateable<SelfSubjectRulesReview, SelfSubjectRulesReview> selfSubjectRulesReviews();
320
321
/**
322
* Access to SubjectRulesReview operations (authorization.openshift.io/v1)
323
* Check subject's effective permissions (create-only, returns response)
324
*/
325
NamespacedInOutCreateable<SubjectRulesReview, SubjectRulesReview> subjectRulesReviews();
326
```
327
328
**Usage Examples:**
329
330
```java
331
// Check if user can create pods
332
SubjectAccessReview review = new SubjectAccessReviewBuilder()
333
.withUser("developer")
334
.withResourceAttributes(new ResourceAttributesBuilder()
335
.withNamespace("myproject")
336
.withVerb("create")
337
.withResource("pods")
338
.build())
339
.build();
340
341
SubjectAccessReviewResponse response = client.subjectAccessReviews().create(review);
342
boolean canCreatePods = response.getAllowed();
343
344
// Check current user's permissions in namespace
345
SelfSubjectRulesReview selfReview = new SelfSubjectRulesReviewBuilder()
346
.withSpec(new SelfSubjectRulesReviewSpecBuilder()
347
.withNamespace("myproject")
348
.build())
349
.build();
350
351
SelfSubjectRulesReview result = client.selfSubjectRulesReviews()
352
.inNamespace("myproject")
353
.create(selfReview);
354
355
List<ResourceRule> resourceRules = result.getStatus().getResourceRules();
356
List<NonResourceRule> nonResourceRules = result.getStatus().getNonResourceRules();
357
358
// Local subject access review
359
LocalSubjectAccessReview localReview = new LocalSubjectAccessReviewBuilder()
360
.withUser("developer")
361
.withResourceAttributes(new ResourceAttributesBuilder()
362
.withVerb("delete")
363
.withResource("deploymentconfigs")
364
.withName("myapp")
365
.build())
366
.build();
367
368
SubjectAccessReviewResponse localResponse = client.localSubjectAccessReviews()
369
.inNamespace("myproject")
370
.create(localReview);
371
```
372
373
### Pod Security Policy Reviews
374
375
OpenShift pod security policy validation and review system.
376
377
```java { .api }
378
/**
379
* Access to PodSecurityPolicyReview operations (security.openshift.io/v1)
380
* Review pod security policy compliance
381
*/
382
NamespacedInOutCreateable<PodSecurityPolicyReview, PodSecurityPolicyReview> podSecurityPolicyReviews();
383
384
/**
385
* Access to PodSecurityPolicySelfSubjectReview operations (security.openshift.io/v1)
386
* Review current user's pod security policy permissions
387
*/
388
NamespacedInOutCreateable<PodSecurityPolicySelfSubjectReview, PodSecurityPolicySelfSubjectReview> podSecurityPolicySelfSubjectReviews();
389
390
/**
391
* Access to PodSecurityPolicySubjectReview operations (security.openshift.io/v1)
392
* Review specific subject's pod security policy permissions
393
*/
394
NamespacedInOutCreateable<PodSecurityPolicySubjectReview, PodSecurityPolicySubjectReview> podSecurityPolicySubjectReviews();
395
```
396
397
**Usage Examples:**
398
399
```java
400
// Review pod security policy for a pod spec
401
PodSecurityPolicyReview policyReview = new PodSecurityPolicyReviewBuilder()
402
.withSpec(new PodSecurityPolicyReviewSpecBuilder()
403
.withTemplate(new PodTemplateSpecBuilder()
404
.withSpec(podSpec) // Your pod spec
405
.build())
406
.build())
407
.build();
408
409
PodSecurityPolicyReview result = client.podSecurityPolicyReviews()
410
.inNamespace("myproject")
411
.create(policyReview);
412
413
// Check current user's pod security policy permissions
414
PodSecurityPolicySelfSubjectReview selfReview = new PodSecurityPolicySelfSubjectReviewBuilder()
415
.withSpec(new PodSecurityPolicySelfSubjectReviewSpecBuilder()
416
.withTemplate(new PodTemplateSpecBuilder()
417
.withSpec(podSpec)
418
.build())
419
.build())
420
.build();
421
422
PodSecurityPolicySelfSubjectReview selfResult = client.podSecurityPolicySelfSubjectReviews()
423
.inNamespace("myproject")
424
.create(selfReview);
425
```
426
427
## Type Definitions
428
429
```java { .api }
430
/**
431
* Access review response types
432
*/
433
public class SubjectAccessReviewResponse {
434
public Boolean getAllowed();
435
public String getDenied();
436
public String getReason();
437
public String getEvaluationError();
438
}
439
440
public class ResourceAccessReviewResponse {
441
public String getNamespace();
442
public Set<String> getUsers();
443
public Set<String> getGroups();
444
public String getEvaluationError();
445
}
446
447
/**
448
* Rule types for permissions
449
*/
450
public class ResourceRule {
451
public List<String> getVerbs();
452
public List<String> getApiGroups();
453
public List<String> getResources();
454
public List<String> getResourceNames();
455
}
456
457
public class NonResourceRule {
458
public List<String> getVerbs();
459
public List<String> getNonResourceURLs();
460
}
461
462
/**
463
* Additional Security Resource Methods from OpenShiftClient interface
464
*/
465
466
// Role Binding Restrictions (authorization.openshift.io/v1)
467
MixedOperation<RoleBindingRestriction, RoleBindingRestrictionList, Resource<RoleBindingRestriction>> roleBindingRestrictions();
468
469
// Range Allocations (security.openshift.io/v1)
470
NonNamespaceOperation<RangeAllocation, RangeAllocationList, Resource<RangeAllocation>> rangeAllocations();
471
```