From 760bfa38df7113dcf7f3e12ebc5f9a07d6fc0dc5 Mon Sep 17 00:00:00 2001
From: Andreas Doebeli <andreas.doebeli@vshn.net>
Date: Wed, 19 Nov 2025 17:07:05 +0100
Subject: [PATCH] When impersonating the cluster admin, use system:admin
 instead of cluster-admin

---
 docs/modules/ROOT/pages/how-tos/deploy-ocp.adoc | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/docs/modules/ROOT/pages/how-tos/deploy-ocp.adoc b/docs/modules/ROOT/pages/how-tos/deploy-ocp.adoc
index cd88510..418a57a 100644
--- a/docs/modules/ROOT/pages/how-tos/deploy-ocp.adoc
+++ b/docs/modules/ROOT/pages/how-tos/deploy-ocp.adoc
@@ -57,8 +57,8 @@ spec:
 [source,bash]
 ----
 for n in $(kubectl get nodes -oname); do
-  PROVIDERID=$(oc -n syn-debug-nodes --as=cluster-admin debug $n -- chroot /host cat /etc/systemd/system/kubelet.service.d/20-appuio-providerid.conf 2>&1 | grep PROVIDERID | sed -e 's/^Environment="KUBELET_PROVIDERID=\([^"]\+\)"$/\1/g')
-  echo kubectl --as=cluster-admin patch $n --type=merge -p "{\"spec\":{\"providerID\":\"${PROVIDERID}\"}}";
+  PROVIDERID=$(oc -n syn-debug-nodes --as=system:admin debug $n -- chroot /host cat /etc/systemd/system/kubelet.service.d/20-appuio-providerid.conf 2>&1 | grep PROVIDERID | sed -e 's/^Environment="KUBELET_PROVIDERID=\([^"]\+\)"$/\1/g')
+  echo kubectl --as=system:admin patch $n --type=merge -p "{\"spec\":{\"providerID\":\"${PROVIDERID}\"}}";
 done
 ----
 
@@ -67,8 +67,8 @@ done
 [source,bash]
 ----
 for n in $(kubectl get nodes -oname); do
-  PROVIDERID=$(oc -n syn-debug-nodes --as=cluster-admin debug $n -- chroot /host cat /etc/systemd/system/kubelet.service.d/20-appuio-providerid.conf 2>&1 | grep PROVIDERID | sed -e 's/^Environment="KUBELET_PROVIDERID=\([^"]\+\)"$/\1/g')
-  kubectl --as=cluster-admin patch $n --type=merge -p "{\"spec\":{\"providerID\":\"${PROVIDERID}\"}}";
+  PROVIDERID=$(oc -n syn-debug-nodes --as=system:admin debug $n -- chroot /host cat /etc/systemd/system/kubelet.service.d/20-appuio-providerid.conf 2>&1 | grep PROVIDERID | sed -e 's/^Environment="KUBELET_PROVIDERID=\([^"]\+\)"$/\1/g')
+  kubectl --as=system:admin patch $n --type=merge -p "{\"spec\":{\"providerID\":\"${PROVIDERID}\"}}";
 done
 kubectl get no -ocustom-columns='NAME:.metadata.name,PROVIDER_ID:.spec.providerID'
 ----
@@ -99,7 +99,7 @@ IMPORTANT: This step triggers node reboots to apply the Kubelet flag `--cloud-pr
 +
 [source,bash]
 ----
-kubectl --as cluster-admin patch infrastructure.config  cluster --type=merge -p '{"spec":{"platformSpec":{"external":{"platformName":"cloudscale.ch"},"type":"External"}}}'
+kubectl --as=system:admin patch infrastructure.config  cluster --type=merge -p '{"spec":{"platformSpec":{"external":{"platformName":"cloudscale.ch"},"type":"External"}}}'
 infrastructure.config.openshift.io/cluster patched
 ----
 +
@@ -113,7 +113,7 @@ curl -XPATCH -H"Content-Type: application/merge-patch+json" http://localhost:800
 +
 [source,bash]
 ----
-kubectl --as cluster-admin taint node --all node.cloudprovider.kubernetes.io/uninitialized=true:NoSchedule
+kubectl --as=system:admin taint node --all node.cloudprovider.kubernetes.io/uninitialized=true:NoSchedule
 ----
 
 . Check if instance-type is applied