Openshift: how to edit scc non-interactively? - openshift

I am experimenting with openshift/minishift, I find myself having to run:
oc edit scc privileged
and add:
- system:serviceaccount:default:router
So I can expose the pods. Is there a way to do it in a script?
I know oc adm have some command for policy manipulation but I can't figure out how to add this line.

You can achieve it using oc patch command and with type json. The snippet below will add a new item to array before 0th element. You can try it out with a fake "bla" value etc.
oc patch scc privileged --type=json -p '[{"op": "add", "path": "/users/0", "value":"system:serviceaccount:default:router"}]'
The --type=json will interpret the provided patch as jsonpatch operation. Unfortunately oc patch --help doesn't provide any example for json patch type. Luckily example usage can be found in kubernetes docs: kubectl patch

I have found an example piping to sed Here and adapted it to ruby so I can easily edit the data structure.
oc get scc privileged -o json |\
ruby -rjson -e 'i = JSON.load(STDIN.read); i["users"].push "system:serviceaccount:default:router"; puts i.to_json ' |\
oc replace scc -f -
Here is quick and dirty script to get started with minishift

The easiest way to add and remove users to SCCs from the command line is using the oc adm policy commands:
oc adm policy add-scc-to-user <scc_name> <user_name>
For more info, see this section.
So for your specific use-case, it would be:
oc adm policy add-scc-to-user privileged system:serviceaccount:default:router
I'm surprised its needed though. I use "oc cluster up" normally, but testing with recent minishift, its already added out of the box:
$ minishift start
$ eval $(minishift oc-env)
$ oc login -u system:admin
$ oc get scc privileged -o yaml | grep system:serviceaccount:default:router
- system:serviceaccount:default:router
$ minishift version
minishift v1.14.0+1ec5877
$ oc version
openshift v3.7.1+a8deba5-34

Related

monitor log of a pod with dynamic name

I need to automate monitoring log of pods of an app
Monitoring a pod's log can be done using oc CLI
oc log -f my-app-5-43j
However, the pod's name changes dynamically over the deployments. If I want to automate the monitoring, like running a cron job, continually tailing the log even after another deployment, how should I do?
Will Gordon already commented solution, so I provide more practical usage for your understanding.
If you deploy your pod using deploymentConfig, daemonSet and so on, you can see logs of the pod without specifying a pod name as follows.
# oc logs -f dc/<your deploymentConfig name>
# oc logs -f ds/<your daemonset name>
Or you can get first pod name dynamically using jsonpath output option to see log.
# oc logs -f $(oc get pod -o jsonpath='{.items[0].metadata.name}')
If you can specify the pod with a specific label, you can use -l option either.
# oc logs -f $(oc get pod -l app=database -o jsonpath='{.items[0].metadata.name}')

how to patch an uploaded template on openshift

I have a template that I have uploaded to openshift.
$ oc get templates | grep jenkins
jenkins-mycompany Jenkins persistent image 9 (all set) 9
When I get the template, you can see the parameters that are set:
$ oc get template jenkins-mycompany -o json
...
{
"description": "Name of the ImageStreamTag to be used for the Jenkins image.",
"displayName": "Jenkins ImageStreamTag",
"name": "JENKINS_IMAGE_STREAM_TAG",
"value": "jenkins-mycompany:2.0.0-18"
}
I am creating a CI process to build a new Jenkins image and update the template that is uploaded into OpenShift.
I want all params set...
I have tried
oc process -f deploy.yml --param-file=my-param-file | oc create -f-
cat mydeploy.json | oc create -f-
The only way I can get this to work is to do an oc delete templates jenkins-mycompany and then oc create -f deploy.yml.
I want to just patch the value of that one parameter so when I build 2.0.0-19, I just patch the template.
Openshift CLI Reference
You want to use the patch command like so:
oc patch <object_type> <object_name> -p <changes>
For example,
oc patch template jenkins-mycompany -p '{"spec":{"unschedulable":true}}'

List all PVCs of an Openshift cluster

How to list from the commandline, all PVCs of an Openshift cluster ?
From my understanding, the scope of PVCs is the namespace/project, in which it was created.
Listing the PVCs implies being connected (using) or at least mentioning the namespace.
The best I came up with is :
$ for i in $(oc get project -o name|cut -d"/" -f 2);do echo "Project: $i";oc get pvc -n $i;done
Is there a better/cleaner/quickier way ?
As an admin, try running:
oc get pvc --all-namespaces

How to delete or overwrite a secret in OpenShift?

I'm trying to create a secret on OpenShift v3.3.0 using:
oc create secret generic my-secret --from-file=application-cloud.properties=src/main/resources/application-cloud.properties -n my-project
Because I created the same secret earlier, I get this error message:
Error from server: secrets "my-secret" already exists
I looked at oc, oc create and oc create secret options and could not find an option to overwrite the secret when creating it.
I then tried to delete the existing secret with oc delete. All the commands listed below return either No resources found or a syntax error.
oc delete secrets -l my-secret -n my-project
oc delete secret -l my-secret -n my-project
oc delete secrets -l my-secret
oc delete secret -l my-secret
oc delete pods,secrets -l my-project
oc delete pods,secrets -l my-secret
oc delete secret generic -l my-secret
Do you know how to delete a secret or overwrite a secret upon creation using the OpenShift console or the command line?
"my-secret" is the name of the secret, so you should delete it like this:
oc delete secret my-secret
Add -n option if you are not using the project where the secret was created
oc delete secret my-secret -n <namespace>
I hope by this time you might have the answer ready, just sharing if this can help others.
As on today here are the details of CLI version and Openshift version which I am working on:
$ oc version
oc v3.6.173.0.5
kubernetes v1.6.1+5115d708d7
features: Basic-Auth
Server <SERVER-URL>
openshift v3.11.0+ec8630f-265
kubernetes v1.11.0+d4cacc0
Let's take a simple secret with a key-value pair generated using a file, will get to know the advantage if generated via a file.
$ echo -n "password" | base64
cGFzc3dvcmQ=
Will create a secret with this value:
$ cat clientSecret.yaml
apiVersion: v1
kind: Secret
metadata:
name: test-secret
data:
clienttoken: cGFzc3dvcmQ=
$ oc apply -f clientSecret.yaml
secret "test-secret" created
Let's change the password and update it in the YAML file.
$ echo -n "change-password" | base64
Y2hhbmdlLXBhc3N3b3Jk
$ cat clientSecret.yaml
apiVersion: v1
kind: Secret
metadata:
name: test-secret
data:
clienttoken: Y2hhbmdlLXBhc3N3b3Jk
From the definition of oc create command, it creates a resource if found throws an error. So this command won't fit to update a configuration of a resource, in our case its a secret.
$ oc create --help
Create a resource by filename or stdin
To make life easier, Openshift has provided oc apply command to apply a configuration to a resource if there is a change. This command is also used to create a resource, which helps a lot during automated deployments.
$ oc apply --help
Apply a configuration to a resource by filename or stdin.
$ oc apply -f clientSecret.yaml
secret "test-secret" configured
By the time you check the secret in UI, a new/updated password appears on the console.
So if you have noticed, first time apply has resulted in created - secret "test-secret" created and in subsequent apply results in configured - secret "test-secret" configured

What is option -n for in OpenShift "oc adm policy add-role-to-group" ?

The OpenShift command line tool (oc) offers a command to add a role to groups of users. The syntax is:
oc adm policy add-role-to-group ROLE GROUP [GROUP ...] [options]
In a script I found such command with option "-n" but there's no way I can find in the oc reference documentation a description of this or other allowed options.
Worse: it seems developers of the oc tool are trying to kid you, as the image shows.
I'm using oc version:
oc v3.2.1.13-1-gc2a90e1
kubernetes v1.2.0-36-g4a3f9c5
By running the command oc adm options you can see that the -n option is for the following:
-n, --namespace='': If present, the namespace scope for this CLI request.
-n is simply for passing a project name, so your command will run against this project.
e.g. oc add-role-to-group admin groupx -n projectx
will assign admin role to groupx on projectx