I am struggle with the scc's within OpenShift. All my pods are made with scc: restricted. But now I want some pods in privileged mode.
I tried with this command:
$ oc edit scc privileged
And add serviceaccount and namespace
Als tried to make a new scc with users:
$ oc create -f scc.yaml
But all new pods are still create with scc: restricted :-(
You want to be using oc adm policy add-role-to-user -z default somerole. The question is why you would want to do that. Running containers with root or other elevated privileges is usually a bad idea and unless you have cluster admin access for the OpenShift cluster, you cannot enable such privileges. The need to run with extra privileges is generally indicative of a poorly constructed image. Images should be designed to run as an arbitrary non root user.
Related
Environment
Openshift 4.3
Question
When we push or pull the image in openshift image registry, (According to document,) It is recommended to use kubeadmin account.
But don't want to use kubeadmin account.
So, My question is : How can I register another account to podman?
$ oc debug node/workernode
sh-4.2# chroot /host
I want to use another account instead of kubeadmin:
sh-4.4# podman login -u kubeadmin -p $(oc whoami -t) image-registry.openshift-image-registry.svc:5000
Thanks
You can use any account which is granted "registry-viewer" or "registry-editor" role. It's mentioned it on the docs you provided either.
You are required to use other credential except "kubeadmin" default admin account using additional identity provider. Refer Understanding identity provider configuration for more details.
For example, if you want to login to internal image registry using "testuser",
Grant required permissions to "testuser".
For pulling images, for example when using the podman pull command, the user must have the registry-viewer role. To add this role:
$ oc policy add-role-to-user registry-viewer testuser
For writing or pushing images, for example when using the podman push command, the user must have the registry-editor role. To add this role:
$ oc policy add-role-to-user registry-editor testuser
Get the token of "testuser" for using credential of the image registry.
$ oc login -u testuser -p your_password
$ oc whoami -t
XXXXXX
Verify it whether the "testuser" can login or not.
$ oc debug node/workernode
sh-4.2# chroot /host
sh-4.4# podman login -u testuser -p XXXXXX image-registry.openshift-image-registry.svc:5000
When I need to access to openshift internal registry I do:
docker login -u admin -p $(oc whoami -t) docker-registry-default.mycluster.com
But this token expire so I can not use admin/"token" to create a secret.
If I want to configure an imagePullSecrets inside a Pod to get an image from other namespace I do not know how to create that secret with a token that does not expire.
Any hit?
Thank you.
As pointed by Graham, the solution is described in: https://cookbook.openshift.org/accessing-an-openshift-cluster/how-can-i-create-a-service-account-for-scripted-access.html
oc project default
oc create sa robot
Give privileges to the service account to access to the repository:
Correct way to do it:
oc policy add-role-to-user system:image-puller system:serviceaccount:project-a:default --namespace=project-b
After adding that role, the pods in project-a that reference the default service account is able to pull images from project-b.
Quick and dirty:
oc policy add-role-to-user cluster-admin system:serviceaccount:default:robot
oc describe sa robot
...
Image pull secrets: robot-dockercfg-s9v9x
...
oc describe secret robot-dockercfg-s9v9x
apiVersion: v1
data:
.dockercfg: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
...
...
Decode .dockercfg value from base64
...
"docker-registry.default.svc:5000":{
"username":"serviceaccount",
"password":"PasswordValue",
"email":"serviceaccount#example.org",
"auth":"yyyyy"
}
...
docker login -u serviceaccount -p PasswordValue docker-registry-default.myclusterdomain.com
As per the documentation, monitoring is shipped with OKD.
OKD ships with a pre-configured and self-updating monitoring stack that is based on the Prometheus open source project and its wider eco-system. It provides monitoring of cluster components and ships with a set of alerts to immediately notify the cluster administrator about any occurring problems and a set of Grafana dashboards.
Further, as per the documentation, this command should show links for various monitoring tools. oc -n openshift-monitoring get routes
When I run the oc command with system user, I get a message as: No resources found.
The installation does not go through.
git clone https://github.com/openshift/cluster-monitoring-operator
cd cluster-monitoring-operator
oc apply -f manifests/
Error messages:
namespace "openshift-monitoring" created
serviceaccount "cluster-monitoring-operator" created
unable to decode "manifests/0000_50_cluster_monitoring_operator_02-role.yaml": no kind "ClusterRole" is registered for version "rbac.authorization.k8s.io/v1beta1"
unable to decode "manifests/0000_50_cluster_monitoring_operator_03-role-binding.yaml": no kind "ClusterRoleBinding" is registered for version "rbac.authorization.k8s.io/v1beta1"
unable to decode "manifests/0000_50_cluster_monitoring_operator_04-deployment.yaml": no kind "Deployment" is registered for version "apps/v1"
unable to decode "manifests/0000_50_cluster_monitoring_operator_05-clusteroperator.yaml": no kind "ClusterOperator" is registered for version "config.openshift.io/v1"
unable to decode "manifests/0000_90_cluster_monitoring_operator_00-operatorgroup.yaml": no kind "OperatorGroup" is registered for version "operators.coreos.com/v1"
So, how do we enable monitoring with minishift?
You can follow this to install prometheus in minishift:
https://github.com/minishift/minishift-addons/tree/master/add-ons/prometheus
Be sure that you login as admin. If you encounter problem to login as admin, you can follow these steps:
minishift ssh
[docker#example ~]$ sudo su
[root#example ~]# export KUBECONFIG=/var/lib/minishift/base/openshift-apiserver/admin.kubeconfig PATH="$PATH:/var/lib/minishift/bin"
[root#example ~]# oc adm policy add-cluster-role-to-user cluster-admin admin
[root#example ~]# exit
[docker#example ~]$ exit
oc login -u admin -p admin
oc whoami
You will see you login as admin.
When I enter the command to apply the prometheus, I encountered this problem:
minishift addons apply prometheus --addon-env namespace=kube-system
-- Applying addon 'prometheus':.Error applying the add-on: Error executing command 'oc new-app -f prometheus.yaml -p NAMESPACE=#{namespace} -n #{namespace}'.
Solution:
login Minishift as admin using "oc login -u admin -p admin".
go to the namespace "kube-system" by "oc project kube-system".
click on "Add to project" -> "import YAML/JSON".
clone the prometheus addon in your local machine from https://github.com/minishift/minishift-addons.git
import the ../minishift-addons/add-ons/prometheus/prometheus.yml into the "kube-system" namespace.
Afterwards, the prometheus will be deployed.
You can access the prometheus graph UI: https://prometheus-kube-system.$minishift-host-ip-address.nip.io.
I'm trying to setup artifactory on Openshift Online 3 Starter using docker image docker.bintray.io/jfrog/artifactory-oss:latestfrom here
But when deploying I got an error
I tried to create artifactory user by command oc create serviceaccount artifactory and then oc adm policy add-scc-to-user anyuid -z artifactory but has another error:
Error from server (Forbidden): User "xxxx" cannot get securitycontextconstraints at the cluster scope
You need to be cluster admin in order to be able to run:
oc adm policy add-scc-to-user anyuid -z artifactory
This is because it is granting the right to run things as any user ID, including root. This is something that you as a normal user aren't allowed to do.
Further, in OpenShift Online you can only run things in the user ID range you are assigned. You cannot override that, nor will you be granted additional privileges.
You would need to find a version of the image which doesn't require it be run as root and which can run as an arbitrary user ID.
I am using the Openshift Online platform. I am trying to build a custom docker image locally (on my mac) and push it to the registry of my project on Openshift online.
I am unable to do that. Can someone please advise what the registry URL should be?
I have tried using the following:
registry.starter-us-east-1.openshift.com
registry.access.redhat.com
The full command I am trying to use to login is below however I am not getting a response. The screen just waits.
docker login -u username -e any_email_address -p token_value registry_service_host:port
My intent, after completing above, is to then try and push the image that I have built locally.
Any advice on the above or else alternate approaches would be appreciated. Thank you.
For to discover Openshift Online URL registry, use the following steps bellow:
After you clicked "Copy Login Command" buttom, you copy oc login command;
Run oc login command in the terminal;
Afterwards login, run oc registry info in the terminal.
The registry is at --> registry.<cluster-id>.openshift.com.
For starter tier US East region, the cluster id is --> starter-us-east-1.
So, the registry can be found at --> registry.starter-us-east-1.openshift.com.
Once you know the docker registry endpoint, you can follow the instructions at:
https://docs.openshift.com/online/dev_guide/managing_images.html#accessing-the-internal-registry
to login and pull/push images from/to the registry.
In short, use:
docker login -u `oc whoami` -e `oc whoami` -p `oc whoami -t` \
https://registry.starter-us-east-1.openshift.com
For future reference, the details for accessing the registry will appear in the About page from the help drop down menu, albeit right now for Online that change hasn't managed to propogate into production, although already visible in newer versions of OpenShift.
The OpenShift internal registry is used internally by default to import images from external repositories. If you need to use it as a repository to pull and push images from your machine, you have to run the following command to allow the default route.
oc patch config.imageregistry cluster -n openshift-image-registry --type merge -p '{"spec": {"defaultRoute": true}}'
Then run
oc get route -n openshift-image-registry
to find the registry URL.
When pushing an image, use the following way to push it to the required project.
[URL]/[project]/[image]:[tag]
To login using docker or podman.
TOKEN = $(oc whoami -t)
podman login -u anything -p ${TOKEN} [URL]