Is there an equivalent for the following command in yaml? Using OpenShift 4.2 currently
oc adm policy add-scc-to-user <scc_name> <user_name>
There's example of SCC.
You have to add element to 'users' list, so you can export the SCC and re-apply modifyed object.
Related
What I have:
default install of Openshift 4.6
3 master/worker nodes in the cluster
already configured OAuth
self-provisioner role from the system-auth group already been removed
Detail Question/Objective:
Assigning a self-provisioner role to a user allows the user to create a project and any resources inside the project, what I want to achieve is, a user who can create a project, but does not have any further rights/permission inside the project. Is this even possible?
Documentation of Openshift 4.6 tells, that any user creates a project, the user(requester) will become the admin of that project, this is because Openshift API will use a default template whenever it creates a project.
I'm confused about where do I do the changes to reflect my objective, is it the template or use any different RBAC role.
Thank You in Advance.
What you need is to customize the Project Template. Look here https://docs.openshift.com/container-platform/4.6/applications/projects/configuring-project-creation.html#modifying-template-for-new-projects_configuring-project-creation
First you need to backup a project project-template from openshift-config, to be honest I don't know how to do it. If anyone find a way please drop the comment under the answer. - Look at first answer bellow from #Stevencommy
To create a new Project Template
oc adm create-bootstrap-project-template -o yaml > template.yaml
In template.yml configure
kind: Project
...
name: ${PROJECT_NAME}
the default user for newly created project is configured in
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <YOUR_USER_WITHOUT_RIGHTS_TO_CREATE_PROJECT>
Then create the template
oc create -f template.yaml -n openshift-config
Update
oc edit project.config.openshift.io/cluster
there
spec:
projectRequestTemplate:
name: <template_name>
<template_name> default is project-request you could also list with oc get templates -n openshift-config | grep project-request
If everything goes well you could test it with oc new-project <your-project>. The user for project should be <YOUR_USER_WITHOUT_RIGHTS_TO_CREATE_PROJECT>
Does anyone know how to get an AspNetCore 3.0 image for free my minishift project.
Thank you in advance.
I am not sure if I understood your question correctly, but Microsofts ASP.NET Core Runtime container image is available here: https://hub.docker.com/_/microsoft-dotnet-core-aspnet/
docker pull mcr.microsoft.com/dotnet/core/aspnet:3.1
Getting the image to run on OpenShift is a bit tricky, as the container image uses Port 80. So to deploy the sample application, we need to add the extra steps to create a ServiceAccount and assign the SCC:
# Deploy the DeploymentConfig
oc new-app --name aspnetcore-sample mcr.microsoft.com/dotnet/core/samples:aspnetapp
# Create a ServiceAccount, give it the "anyuid" SCC and assign it to the DeploymentConfig
oc create serviceaccount aspnetcore-sample-sa
oc adm policy add-scc-to-user anyuid -z aspnetcore-sample-sa
oc set serviceaccount dc aspnetcore-sample aspnetcore-sample-sa
# Expose the application to the outside world via a route
oc expose dc aspnetcore-sample --port=80
oc expose service aspnetcore-sample
# See the route with the following command
oc get route
I have a project/namespace in Openshift 3.9. It has one Mysql db pod, the credentials details are stored as secrets.
While deploying my Springboot application, in Openshift UI, I change the Deployment Configuration to map the dynamic variables from my APP to Mysql secrets.
Now I want to automate this step, and how do I mention/pass these secrets while using the oc new-app cmd. I am using below command, but not sure on how to pass/map variables to secrets.
oc new-app redhat-openjdk18-openshift~https://github.com/xyzasdkjasnda/openshift-mysql
Somewhere I saw a workaround like below,
oc new-app
redhat-openjdk18-openshift~https://github.com/xyzasdkjasnda/openshift-mysql
| jq '.items[] | select(.kind == "DeploymentConfig") |
.spec.template.spec.containers[0].env +=
[{"name":"db_name","valueFrom":{"secretKeyRef":{"key":"database-name","name":"mysql"}}},{"name":"db_username","valueFrom":{"secretKeyRef":{"key":"database-user","name":"mysql"}}},{"name":"db_password","valueFrom":{"secretKeyRef":{"key":"database-password","name":"mysql"}}}]'
| \
oc apply --filename -
While oc new-app seems convenient, it usually is preferred to explicitly create a DeploymentConfig (or Deployment) file and check it into a code repo; use oc create -f <deployment-filename> to create the actual object in OpenShift.
See Example #3 here for how to populate environment variables with values from Secrets - that is what the "workaround" does.
Alternatively, you can still use oc new-app to create a new application, including building it from source code, which will create the DeploymentConfig you can then edit to add the environment variables from Secrets configuration.
I have a predefined rolebinding in place for an Openshift project, that I want to edit/update using a .yml file.
I have already tried the below:
oc create –f –> failed, obvious because it exists, the error is:
Error from server: rolebinding "edit" already exists
oc patch –f–> failed, looks like patch only accepts –p argument, the error is:
Error: Must specify -p to patch
See 'oc patch -h' for help and examples.
oc replace –f–> failed, the error is:
Error: error when replacing "sample.yml": resource name may not be empty
If I were to run the create command against the file on a new project, it works.
Please do respond if any one has thoughts on this.
Thanks much,
Aneesh
Perhaps oc patch -p $(cat file.patch) ... would work for you?
If I understand what you are trying to do, I would use separate oc adm policy commands to do it.
oc adm policy add-role-to-group edit group-name-a
oc adm policy add-role-to-group edit group-name-b
oc adm policy add-role-to-group edit group-name-x
oc adm policy add-role-to-group edit group-name-y
oc adm policy add-role-to-group edit group-name-z
Using oc patch is only going to work if there existed a resource object for the roleRef name already, it isn't going to create the whole role binding object if it doesn't exist.
Modifying roles is one of the times where you can't make additive changes by simply loading a new resource object definition.
You can see this by enabling logging for the oc command and looking at what it does. In the case of adding additional role bindings, it will first query the existing role binding and add the change to it and then load the new modified entry with all role bindings in it.
Run:
oc --loglevel=9 adm policy add-role-to-group edit group-name-x
when only group-name-a and group-name-b have already been set up to see what I mean.
I'm creating a new-app based on an image stream that corresponds to a docker image in a private OpenShift docker registry. The command is:
oc new-app mynamespace/my-image:latest -n=my-project
Question 1: Does this command automatically create a deployment configuration (dc) that can be referrenced as dc/my-image? Is this deployment configuration associated with my-project?
Question 2: What is the oc command to create a deployment configuration? The OpenShift developer guide has a section titled Creating a Deployment Configuration, but surprisingly it does not say how to create a DC or give any examples. It just shows a JSON structure and says DCs can be managed with the oc command.
Yes, your command will create stuff in the specified project. You can check what objects are created using the oc get command. i.e. to check what DCs you have, you'd do oc get dc or oc get deploymentconfigs.
Other useful commands are oc describe - similar to get but more information. oc status -v - see more broad information about project including warnings and errors.
You create DC and any other resource types using the oc create command. e.g. you copy the example DC off the URL you link to and put it into a file. Finally you do oc create -f mydc.yaml. Both YAML and JSON are supported.
As you see some commands can create DCs by themselves without you providing them with YAML or JSON. You can later modify existing resources with oc edit service/my-app. There is the oc patch command suitable for scripting.
You can see existing resource YAML doing oc get dc/myds -o yaml. Same with any other resource. Keep in mind you are presently using the desired project or use the -n option as you are doing in your example.
Not that hard once you understand some basics and learn to use the oc describe and oc logs command to debug issues with your images/pods. e.g. oc describe pod/my-app-1-asdfg, oc logs my-app-1-asdfg, oc logs -f dc/my-app.
HTH