Fix RBAC Forbidden OpenShift¶
Introduction¶
RBAC decides which OpenShift users and service accounts can act on resources. oc auth can-i is the quickest safe test before changing RoleBindings.
Symptoms¶
Typical symptoms include failed pods, route errors, denied requests, unhealthy operators, or command errors that repeat after retries.
Common Causes¶
- Granting cluster-admin for a namespace-scoped problem.
- Testing permissions as yourself instead of the affected service account.
- Forgetting that SCC use is also authorized through RBAC.
Step 1: Check the Current Status¶
oc auth can-i get pods -n app
oc auth can-i create routes -n app --as=developer
oc get rolebinding -n app
oc describe rolebinding edit-developer -n app
Example output:
yes
no
Step 2: Inspect Logs and Events¶
oc auth can-i get pods -n app --as=developer
oc get rolebinding -n app
oc describe rolebinding edit-developer -n app
Step 3: Verify Configuration¶
Compare the object selectors, service account, image reference, route target, or operator status with the failing symptom. In OpenShift, events often show the exact admission, scheduling, pull, SCC, or route reason.
Example YAML¶
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: edit-developer
namespace: app
subjects:
- kind: User
name: developer
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
Step 4: Apply the Fix¶
Apply the smallest targeted fix: correct the selector, update the route or service port, link the pull secret, grant the specific RBAC or SCC permission, or repair the unhealthy operator dependency.
Step 5: Confirm the Problem Is Resolved¶
Run the verification commands again and confirm the status, events, and user-facing test all agree.
Common Mistakes¶
- Granting cluster-admin for a namespace-scoped problem.
- Testing permissions as yourself instead of the affected service account.
- Forgetting that SCC use is also authorized through RBAC.
Quick Checklist¶
- Confirm the active project.
- Inspect the exact object named in the error.
- Read recent events.
- Apply one focused fix.
- Verify status after the change.
Related Guides¶
Summary¶
Fix RBAC Forbidden OpenShift requires matching the symptom to the OpenShift object that owns it. Use oc status commands, events, logs, and focused verification so the fix is tied to evidence.