CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/maven-io-fabric8--openshift-client

Java client library for OpenShift REST APIs, providing fluent DSL access to OpenShift resources and operations.

Pending
Overview
Eval results
Files

security-rbac.mddocs/

Security and Access Control

Comprehensive RBAC and security management including roles, users, groups, OAuth, and access reviews. Covers both namespace-scoped and cluster-scoped security resources with OpenShift-specific enhancements.

Capabilities

User and Identity Management

OpenShift user and identity management with support for multiple identity providers and user-to-identity mappings.

/**
 * Access to User resources (user.openshift.io/v1)
 * User accounts in the OpenShift cluster
 */
NonNamespaceOperation<User, UserList, Resource<User>> users();

/**
 * Access to Group resources (user.openshift.io/v1)
 * User groups for organizing users and permissions
 */
NonNamespaceOperation<Group, GroupList, Resource<Group>> groups();

/**
 * Access to Identity resources (user.openshift.io/v1)
 * Identity provider mappings for users
 */
NonNamespaceOperation<Identity, IdentityList, Resource<Identity>> identities();

/**
 * Access to UserIdentityMapping operations (user.openshift.io/v1)
 * Map users to identity provider identities
 */
InOutCreateable<UserIdentityMapping, UserIdentityMapping> userIdentityMappings();

Usage Examples:

// List all users
UserList users = client.users().list();

// Get current user
User currentUser = client.currentUser();
System.out.println("Current user: " + currentUser.getMetadata().getName());

// List user groups
List<String> userGroups = currentUser.getGroups();

// Get specific user
User specificUser = client.users().withName("developer").get();

// List groups
GroupList groups = client.groups().list();

// Create user-identity mapping
UserIdentityMapping mapping = new UserIdentityMappingBuilder()
    .withUser(new ObjectReferenceBuilder()
        .withName("developer")
        .build())
    .withIdentity(new ObjectReferenceBuilder()
        .withName("htpasswd:developer")
        .build())
    .build();

client.userIdentityMappings().create(mapping);

Role-Based Access Control

OpenShift RBAC system with roles, role bindings, and cluster-level permissions management.

/**
 * Access to Role resources (authorization.openshift.io/v1)
 * Namespace-scoped roles defining permissions
 */
MixedOperation<Role, RoleList, Resource<Role>> roles();

/**
 * Access to RoleBinding resources (authorization.openshift.io/v1)
 * Bind roles to users, groups, or service accounts in namespaces
 */
MixedOperation<RoleBinding, RoleBindingList, Resource<RoleBinding>> roleBindings();

/**
 * Access to ClusterRole resources (authorization.openshift.io/v1)
 * Cluster-scoped roles with cluster-wide permissions
 */
NonNamespaceOperation<ClusterRole, ClusterRoleList, Resource<ClusterRole>> clusterRoles();

/**
 * Access to ClusterRoleBinding resources (authorization.openshift.io/v1)
 * Bind cluster roles to users, groups, or service accounts cluster-wide
 */
MixedOperation<ClusterRoleBinding, ClusterRoleBindingList, Resource<ClusterRoleBinding>> clusterRoleBindings();

/**
 * Access to RoleBindingRestriction resources (authorization.openshift.io/v1)
 * Restrict role binding creation in namespaces
 */
MixedOperation<RoleBindingRestriction, RoleBindingRestrictionList, Resource<RoleBindingRestriction>> roleBindingRestrictions();

Usage Examples:

// List roles in namespace
RoleList roles = client.roles().inNamespace("myproject").list();

// Create role
Role customRole = new RoleBuilder()
    .withMetadata(new ObjectMetaBuilder()
        .withName("pod-reader")
        .withNamespace("myproject")
        .build())
    .addNewRule()
        .withApiGroups("")
        .withResources("pods")
        .withVerbs("get", "list", "watch")
    .endRule()
    .build();

client.roles().inNamespace("myproject").create(customRole);

// Create role binding
RoleBinding binding = new RoleBindingBuilder()
    .withMetadata(new ObjectMetaBuilder()
        .withName("pod-readers")
        .withNamespace("myproject")
        .build())
    .withRoleRef(new RoleRefBuilder()
        .withName("pod-reader")
        .withKind("Role")
        .withApiGroup("authorization.openshift.io")
        .build())
    .addNewSubject()
        .withKind("User")
        .withName("developer")
        .withApiGroup("rbac.authorization.k8s.io")
    .endSubject()
    .build();

client.roleBindings().inNamespace("myproject").create(binding);

// List cluster roles
ClusterRoleList clusterRoles = client.clusterRoles().list();

// Create cluster role binding
ClusterRoleBinding clusterBinding = new ClusterRoleBindingBuilder()
    .withMetadata(new ObjectMetaBuilder()
        .withName("cluster-readers")
        .build())
    .withRoleRef(new RoleRefBuilder()
        .withName("cluster-reader")
        .withKind("ClusterRole")
        .withApiGroup("authorization.openshift.io")
        .build())
    .addNewSubject()
        .withKind("Group")
        .withName("developers")
        .withApiGroup("rbac.authorization.k8s.io")
    .endSubject()
    .build();

client.clusterRoleBindings().create(clusterBinding);

OAuth and Token Management

OpenShift OAuth system for authentication and token management.

/**
 * Access to OAuthAccessToken resources (oauth.openshift.io/v1)
 * OAuth access tokens for API authentication
 */
NonNamespaceOperation<OAuthAccessToken, OAuthAccessTokenList, Resource<OAuthAccessToken>> oAuthAccessTokens();

/**
 * Access to OAuthAuthorizeToken resources (oauth.openshift.io/v1)
 * OAuth authorization tokens for authorization flows
 */
NonNamespaceOperation<OAuthAuthorizeToken, OAuthAuthorizeTokenList, Resource<OAuthAuthorizeToken>> oAuthAuthorizeTokens();

/**
 * Access to OAuthClient resources (oauth.openshift.io/v1)
 * OAuth client applications registered with OpenShift
 */
NonNamespaceOperation<OAuthClient, OAuthClientList, Resource<OAuthClient>> oAuthClients();

/**
 * Access to OAuthClientAuthorization resources (oauth.openshift.io/v1)
 * User authorization grants for OAuth clients
 */
NonNamespaceOperation<OAuthClientAuthorization, OAuthClientAuthorizationList, Resource<OAuthClientAuthorization>> oAuthClientAuthorizations();

/**
 * Access to UserOAuthAccessToken resources (oauth.openshift.io/v1)
 * User-specific OAuth access tokens (GET and DELETE only)
 */
NonNamespaceOperation<UserOAuthAccessToken, UserOAuthAccessTokenList, Resource<UserOAuthAccessToken>> userOAuthAccessTokens();

Usage Examples:

// List OAuth clients
OAuthClientList clients = client.oAuthClients().list();

// Create OAuth client
OAuthClient oauthClient = new OAuthClientBuilder()
    .withMetadata(new ObjectMetaBuilder()
        .withName("my-app")
        .build())
    .withSecret("client-secret")
    .withRedirectURIs("https://myapp.com/callback")
    .withGrantMethod("auto")
    .build();

client.oAuthClients().create(oauthClient);

// List user's OAuth access tokens
UserOAuthAccessTokenList userTokens = client.userOAuthAccessTokens().list();

// Revoke specific OAuth access token
client.oAuthAccessTokens().withName("token-name").delete();

Security Context Constraints

OpenShift security context constraints for controlling pod security policies and runtime security.

/**
 * Access to SecurityContextConstraints resources (security.openshift.io/v1)
 * Cluster-wide security policies for pod execution
 */
NonNamespaceOperation<SecurityContextConstraints, SecurityContextConstraintsList, Resource<SecurityContextConstraints>> securityContextConstraints();

/**
 * Access to RangeAllocation resources (security.openshift.io/v1)
 * UID/GID range allocations for projects
 */
NonNamespaceOperation<RangeAllocation, RangeAllocationList, Resource<RangeAllocation>> rangeAllocations();

Usage Examples:

// List security context constraints
SecurityContextConstraintsList sccs = client.securityContextConstraints().list();

// Get specific SCC
SecurityContextConstraints restrictedSCC = client.securityContextConstraints()
    .withName("restricted")
    .get();

// Create custom SCC
SecurityContextConstraints customSCC = new SecurityContextConstraintsBuilder()
    .withMetadata(new ObjectMetaBuilder()
        .withName("custom-scc")
        .build())
    .withAllowHostDirVolumePlugin(false)
    .withAllowHostIPC(false)
    .withAllowHostNetwork(false)
    .withAllowHostPID(false)
    .withAllowPrivilegedContainer(false)
    .withAllowedCapabilities()
    .withDefaultAddCapabilities()
    .withRequiredDropCapabilities("KILL", "MKNOD", "SETUID", "SETGID")
    .withRunAsUser(new RunAsUserStrategyOptionsBuilder()
        .withType("MustRunAsRange")
        .build())
    .withSeLinuxContext(new SELinuxContextStrategyOptionsBuilder()
        .withType("MustRunAs")
        .build())
    .withUsers("system:serviceaccount:myproject:myapp")
    .build();

client.securityContextConstraints().create(customSCC);

// List range allocations
RangeAllocationList ranges = client.rangeAllocations().list();

Access Reviews and Authorization

OpenShift access review system for checking permissions and authorization decisions.

/**
 * Access to SubjectAccessReview operations (authorization.openshift.io/v1)
 * Check if subjects can perform actions (create-only, returns response)
 */
InOutCreateable<SubjectAccessReview, SubjectAccessReviewResponse> subjectAccessReviews();

/**
 * Access to ResourceAccessReview operations (authorization.openshift.io/v1)
 * Check resource access permissions (create-only, returns response)
 */
InOutCreateable<ResourceAccessReview, ResourceAccessReviewResponse> resourceAccessReviews();

/**
 * Access to LocalSubjectAccessReview operations (authorization.openshift.io/v1)
 * Check namespace-scoped subject permissions (create-only, returns response)
 */
NamespacedInOutCreateable<LocalSubjectAccessReview, SubjectAccessReviewResponse> localSubjectAccessReviews();

/**
 * Access to LocalResourceAccessReview operations (authorization.openshift.io/v1)
 * Check namespace-scoped resource permissions (create-only, returns response)
 */
NamespacedInOutCreateable<LocalResourceAccessReview, ResourceAccessReviewResponse> localResourceAccessReviews();

/**
 * Access to SelfSubjectRulesReview operations (authorization.openshift.io/v1)
 * Check current user's permissions (create-only, returns response)
 */
NamespacedInOutCreateable<SelfSubjectRulesReview, SelfSubjectRulesReview> selfSubjectRulesReviews();

/**
 * Access to SubjectRulesReview operations (authorization.openshift.io/v1)
 * Check subject's effective permissions (create-only, returns response)
 */
NamespacedInOutCreateable<SubjectRulesReview, SubjectRulesReview> subjectRulesReviews();

Usage Examples:

// Check if user can create pods
SubjectAccessReview review = new SubjectAccessReviewBuilder()
    .withUser("developer")
    .withResourceAttributes(new ResourceAttributesBuilder()
        .withNamespace("myproject")
        .withVerb("create")
        .withResource("pods")
        .build())
    .build();

SubjectAccessReviewResponse response = client.subjectAccessReviews().create(review);
boolean canCreatePods = response.getAllowed();

// Check current user's permissions in namespace
SelfSubjectRulesReview selfReview = new SelfSubjectRulesReviewBuilder()
    .withSpec(new SelfSubjectRulesReviewSpecBuilder()
        .withNamespace("myproject")
        .build())
    .build();

SelfSubjectRulesReview result = client.selfSubjectRulesReviews()
    .inNamespace("myproject")
    .create(selfReview);

List<ResourceRule> resourceRules = result.getStatus().getResourceRules();
List<NonResourceRule> nonResourceRules = result.getStatus().getNonResourceRules();

// Local subject access review
LocalSubjectAccessReview localReview = new LocalSubjectAccessReviewBuilder()
    .withUser("developer")
    .withResourceAttributes(new ResourceAttributesBuilder()
        .withVerb("delete")
        .withResource("deploymentconfigs")
        .withName("myapp")
        .build())
    .build();

SubjectAccessReviewResponse localResponse = client.localSubjectAccessReviews()
    .inNamespace("myproject")
    .create(localReview);

Pod Security Policy Reviews

OpenShift pod security policy validation and review system.

/**
 * Access to PodSecurityPolicyReview operations (security.openshift.io/v1)
 * Review pod security policy compliance
 */
NamespacedInOutCreateable<PodSecurityPolicyReview, PodSecurityPolicyReview> podSecurityPolicyReviews();

/**
 * Access to PodSecurityPolicySelfSubjectReview operations (security.openshift.io/v1)
 * Review current user's pod security policy permissions
 */
NamespacedInOutCreateable<PodSecurityPolicySelfSubjectReview, PodSecurityPolicySelfSubjectReview> podSecurityPolicySelfSubjectReviews();

/**
 * Access to PodSecurityPolicySubjectReview operations (security.openshift.io/v1)
 * Review specific subject's pod security policy permissions
 */
NamespacedInOutCreateable<PodSecurityPolicySubjectReview, PodSecurityPolicySubjectReview> podSecurityPolicySubjectReviews();

Usage Examples:

// Review pod security policy for a pod spec
PodSecurityPolicyReview policyReview = new PodSecurityPolicyReviewBuilder()
    .withSpec(new PodSecurityPolicyReviewSpecBuilder()
        .withTemplate(new PodTemplateSpecBuilder()
            .withSpec(podSpec) // Your pod spec
            .build())
        .build())
    .build();

PodSecurityPolicyReview result = client.podSecurityPolicyReviews()
    .inNamespace("myproject")
    .create(policyReview);

// Check current user's pod security policy permissions
PodSecurityPolicySelfSubjectReview selfReview = new PodSecurityPolicySelfSubjectReviewBuilder()
    .withSpec(new PodSecurityPolicySelfSubjectReviewSpecBuilder()
        .withTemplate(new PodTemplateSpecBuilder()
            .withSpec(podSpec)
            .build())
        .build())
    .build();

PodSecurityPolicySelfSubjectReview selfResult = client.podSecurityPolicySelfSubjectReviews()
    .inNamespace("myproject")
    .create(selfReview);

Type Definitions

/**
 * Access review response types
 */
public class SubjectAccessReviewResponse {
    public Boolean getAllowed();
    public String getDenied();
    public String getReason();
    public String getEvaluationError();
}

public class ResourceAccessReviewResponse {
    public String getNamespace();
    public Set<String> getUsers();
    public Set<String> getGroups();
    public String getEvaluationError();
}

/**
 * Rule types for permissions
 */
public class ResourceRule {
    public List<String> getVerbs();
    public List<String> getApiGroups();
    public List<String> getResources();
    public List<String> getResourceNames();
}

public class NonResourceRule {
    public List<String> getVerbs();
    public List<String> getNonResourceURLs();
}

/**
 * Additional Security Resource Methods from OpenShiftClient interface
 */

// Role Binding Restrictions (authorization.openshift.io/v1)
MixedOperation<RoleBindingRestriction, RoleBindingRestrictionList, Resource<RoleBindingRestriction>> roleBindingRestrictions();

// Range Allocations (security.openshift.io/v1)  
NonNamespaceOperation<RangeAllocation, RangeAllocationList, Resource<RangeAllocation>> rangeAllocations();

Install with Tessl CLI

npx tessl i tessl/maven-io-fabric8--openshift-client

docs

client-setup.md

configuration-management.md

core-resources.md

index.md

machine-management.md

monitoring.md

multicluster-management.md

operator-management.md

security-rbac.md

tile.json