Openshift: Hide templates in playground project - openshift

How do I hide the default templates that are there in openshift project by default. I do not want users to use any of those templates and use only the one I create for them.

Just delete all templates in openshift project using oc delete template --all -n openshift.
You can also first backup these templates in case you want them back. oc export template -n openshift > templates.yaml

Related

Cannot see own created temapltes in openshift via OC commands

Developer Catalog have dozens of templates provided by default & After creating own custom templates either via openshift console or via oc create command the teamplate when listed does not shows up which are self created.
$ oc get templates -n openshift
Lists all default teamplates but does not appers the self created one.
After creating from oc command like below:
$ oc create -f testtemplate.json
This also does not list the created template.
Please suggest any clue if there is any restrictions on it & path forward.
You Should add the default namespace on the question.
Otherwise, might using the -n option with the name of the project -n <namespace> to list/create templates.
-- Create template
$ oc create -f testtemplate -n target-namespace
-- Listing all templates in target-namespace project
$ oc get templates -n target-namespace
How about add annotations for metadata to your custom template like existing Templates ? Refer Writing the template description for more details.

Openshift 4 RBAC

What I have:
default install of Openshift 4.6
3 master/worker nodes in the cluster
already configured OAuth
self-provisioner role from the system-auth group already been removed
Detail Question/Objective:
Assigning a self-provisioner role to a user allows the user to create a project and any resources inside the project, what I want to achieve is, a user who can create a project, but does not have any further rights/permission inside the project. Is this even possible?
Documentation of Openshift 4.6 tells, that any user creates a project, the user(requester) will become the admin of that project, this is because Openshift API will use a default template whenever it creates a project.
I'm confused about where do I do the changes to reflect my objective, is it the template or use any different RBAC role.
Thank You in Advance.
What you need is to customize the Project Template. Look here https://docs.openshift.com/container-platform/4.6/applications/projects/configuring-project-creation.html#modifying-template-for-new-projects_configuring-project-creation
First you need to backup a project project-template from openshift-config, to be honest I don't know how to do it. If anyone find a way please drop the comment under the answer. - Look at first answer bellow from #Stevencommy
To create a new Project Template
oc adm create-bootstrap-project-template -o yaml > template.yaml
In template.yml configure
kind: Project
...
name: ${PROJECT_NAME}
the default user for newly created project is configured in
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <YOUR_USER_WITHOUT_RIGHTS_TO_CREATE_PROJECT>
Then create the template
oc create -f template.yaml -n openshift-config
Update
oc edit project.config.openshift.io/cluster
there
spec:
projectRequestTemplate:
name: <template_name>
<template_name> default is project-request you could also list with oc get templates -n openshift-config | grep project-request
If everything goes well you could test it with oc new-project <your-project>. The user for project should be <YOUR_USER_WITHOUT_RIGHTS_TO_CREATE_PROJECT>

How to clone a deployment or application from existing project to a newly created project in openshift

Is there a possible way to clone a deployment from an existing project(namespace) into a newly created project(namespace) through console or CLI in OPENSHIFT?
If you only want to clone a Deployment resource, you should be able to do something like:
oc -n source_namespace get deployment mydeployment -o yaml |
oc -n target_namespace apply -f-
But if you have multiple resources you need to manage, you're probably better off spending time creating manifests locally and then using something like kustomize to deploy it to your target namespaces.

Apply changes dynamically when OpenShift template is modified (and applied)

I defined a template (let's call it template.yaml) with a service, deploymentconfig, buildconfig and imagestream, applied it with oc apply -f template.yaml and ran oc new-app app-name to create new app from the template. What the app basically does is to build a Node.js application with S2I, write it to a new ImageStream and deploy it to a pod with the necessary service exposed.
Now I've decided to make some changes to the template and have applied it on OpenShift. How do I go about ensuring that all resources in the said template also get reconfigured without having to delete all resources associated with that template and recreating it again?
I think the template is only used to create the related resource first time. Even though you modify the template, it's not associated with created resources. So you should recreate or modify each resource that is modified.
But you can modify simply all resources created by template using the following cmd.
# oc apply -f template_modified.yaml | oc replace -f -
I hope it help you
The correct command turned out to be:
$ oc apply -f template_modified.yaml
$ oc process -f template_modified.yaml | oc replace -f -
That worked for me on OpenShift 3.9.

Using service accounts to automate deployments is failing

We are trying to automate the build and deployment of containers to projects created in openshift v3.3. From the documentation I can see that we will need to leverage service accounts to do this but the documentation is hard to follow and the examples I have found in the blogs don't complete the task. My workflow is as follows with examples oc commands I use:
BUILDER_TOKEN='xxx'
DEPLOYER_TOKEN='xxx'
# build and push the image works as expected
docker build -t registry.xyz.com/want/want:latest .
docker login --username=<someuser> --password=${BUILDER_TOKEN} registry.xyz.com
docker push registry.xyz.com/<repo>/<image>:<tag>
# This fails with error
oc login https://api.xyz.com --token=${DEPLOYER_TOKEN}
oc project <someproject>
oc new-app registry.xyz.com/<repo>/<image>:<tag>
Notice I login into the rest api interface, select the project and create the app but this fails with the following errors:
error: User "system:serviceaccount:want:deployer" cannot create deploymentconfigs in project "default"
error: User "system:serviceaccount:want:deployer" cannot create services in project "default"
Any ideas?
Service accounts only have permission in their owning project by default. You would need to grant deployer access to deploy in other projects.
OK so it seems that using a service account to accomplish this is not the best way to go about things. This is not helped by the documentation. The use case above is very common and the correct approach is to simply evoke the new-app with the image name and corresponding tag:
oc new-app ${APP}:${TAG}
There is no need to mess around with service accounts.