Service Accounts and RBAC – Grant Cluster Reader Role

Step 1: Confirm the service account exists in auth-audit.

It must exist before a role can be assigned to it.

Step 2: Run the command:

oc adm policy add-cluster-role-to-user cluster-reader system:serviceaccount:auth-audit:audit

Step 3: Verify the binding is added.

The lab output shows:

clusterrole.rbac.authorization.k8s.io/cluster-reader added: "system:serviceaccount:auth-audit:audit"

Detailed explanation:

This binds the cluster-reader cluster role to the audit service account. The full subject format system:serviceaccount:namespace:name is required because OpenShift RBAC needs the exact service account identity. The cluster-reader role is broader than a project-scoped view role because it allows read-level access across cluster resources. This is appropriate for auditing or inspection use cases where the account must observe but not modify. The distinction between cluster roles and namespaced roles is important: cluster roles apply to non-namespaced resources and broad cluster visibility, while local roles are limited to individual projects. This Task is a classic RBAC operation that combines identity creation with controlled privilege assignment.

============