URL: https://rol.redhat.com/rol/app/courses/do280-4.12/pages/ch06s03
Reporter RHNID: ctiwary@redhat.com
Section: 3 - Allow Application Access to Kubernetes APIs
Language: en-US (English)
Workaround:

Description: Ch06s03 : Binding Roles to Service Accounts :
******************************************************************************************************
"Binding Roles to Service Accounts
For an application to use the role permissions, you must bind the role or cluster role to the application service account.

To bind a role or cluster role to a service account in a namespace, you can use the oc adm policy command with the add-role-to-user subcommand.

This command assigns a*+ cluster role+* to a service account that exists in the current project:

[user@host ~]$ oc adm policy add-role-to-user cluster-role -z service-account
You can optionally use -z to avoid specifying the system:serviceaccount:project prefix when you assign the role to a service account that exists in the current project.

To create a cluster role binding, you can use the oc adm policy command with the add-cluster-role-to-user subcommand.

The following command assigns a cluster role to a service account with a cluster scope:

[user@host ~]$ oc adm policy add-cluster-role-to-user cluster-role service-account "

****************************************************************************************************
To assign a cluster role - we use add-cluster-role-to-user cluster-role
and for a project specific role - we use add-role-to-user role right ?

Please clarify this and if possible rephrase this portion to aoid any confusion to learners who are new to OCP.
Refer v4.10 course https://rol.redhat.com/rol/app/courses/do280-4.10/pages/ch03s03 for cluster-roles lecture.
Also, are not there security constraints to give cluster-roles to sa ? We should specify that only specific cluster-roles should be given to sa.