The OpenShift command line tool (oc) offers a command to add a role to groups of users. The syntax is:
oc adm policy add-role-to-group ROLE GROUP [GROUP ...] [options]
In a script I found such command with option "-n" but there's no way I can find in the oc reference documentation a description of this or other allowed options.
Worse: it seems developers of the oc tool are trying to kid you, as the image shows.
I'm using oc version:
oc v3.2.1.13-1-gc2a90e1
kubernetes v1.2.0-36-g4a3f9c5
By running the command oc adm options you can see that the -n option is for the following:
-n, --namespace='': If present, the namespace scope for this CLI request.
-n is simply for passing a project name, so your command will run against this project.
e.g. oc add-role-to-group admin groupx -n projectx
will assign admin role to groupx on projectx
Related
As per the documentation, monitoring is shipped with OKD.
OKD ships with a pre-configured and self-updating monitoring stack that is based on the Prometheus open source project and its wider eco-system. It provides monitoring of cluster components and ships with a set of alerts to immediately notify the cluster administrator about any occurring problems and a set of Grafana dashboards.
Further, as per the documentation, this command should show links for various monitoring tools. oc -n openshift-monitoring get routes
When I run the oc command with system user, I get a message as: No resources found.
The installation does not go through.
git clone https://github.com/openshift/cluster-monitoring-operator
cd cluster-monitoring-operator
oc apply -f manifests/
Error messages:
namespace "openshift-monitoring" created
serviceaccount "cluster-monitoring-operator" created
unable to decode "manifests/0000_50_cluster_monitoring_operator_02-role.yaml": no kind "ClusterRole" is registered for version "rbac.authorization.k8s.io/v1beta1"
unable to decode "manifests/0000_50_cluster_monitoring_operator_03-role-binding.yaml": no kind "ClusterRoleBinding" is registered for version "rbac.authorization.k8s.io/v1beta1"
unable to decode "manifests/0000_50_cluster_monitoring_operator_04-deployment.yaml": no kind "Deployment" is registered for version "apps/v1"
unable to decode "manifests/0000_50_cluster_monitoring_operator_05-clusteroperator.yaml": no kind "ClusterOperator" is registered for version "config.openshift.io/v1"
unable to decode "manifests/0000_90_cluster_monitoring_operator_00-operatorgroup.yaml": no kind "OperatorGroup" is registered for version "operators.coreos.com/v1"
So, how do we enable monitoring with minishift?
You can follow this to install prometheus in minishift:
https://github.com/minishift/minishift-addons/tree/master/add-ons/prometheus
Be sure that you login as admin. If you encounter problem to login as admin, you can follow these steps:
minishift ssh
[docker#example ~]$ sudo su
[root#example ~]# export KUBECONFIG=/var/lib/minishift/base/openshift-apiserver/admin.kubeconfig PATH="$PATH:/var/lib/minishift/bin"
[root#example ~]# oc adm policy add-cluster-role-to-user cluster-admin admin
[root#example ~]# exit
[docker#example ~]$ exit
oc login -u admin -p admin
oc whoami
You will see you login as admin.
When I enter the command to apply the prometheus, I encountered this problem:
minishift addons apply prometheus --addon-env namespace=kube-system
-- Applying addon 'prometheus':.Error applying the add-on: Error executing command 'oc new-app -f prometheus.yaml -p NAMESPACE=#{namespace} -n #{namespace}'.
Solution:
login Minishift as admin using "oc login -u admin -p admin".
go to the namespace "kube-system" by "oc project kube-system".
click on "Add to project" -> "import YAML/JSON".
clone the prometheus addon in your local machine from https://github.com/minishift/minishift-addons.git
import the ../minishift-addons/add-ons/prometheus/prometheus.yml into the "kube-system" namespace.
Afterwards, the prometheus will be deployed.
You can access the prometheus graph UI: https://prometheus-kube-system.$minishift-host-ip-address.nip.io.
How to list from the commandline, all PVCs of an Openshift cluster ?
From my understanding, the scope of PVCs is the namespace/project, in which it was created.
Listing the PVCs implies being connected (using) or at least mentioning the namespace.
The best I came up with is :
$ for i in $(oc get project -o name|cut -d"/" -f 2);do echo "Project: $i";oc get pvc -n $i;done
Is there a better/cleaner/quickier way ?
As an admin, try running:
oc get pvc --all-namespaces
I'm trying to setup artifactory on Openshift Online 3 Starter using docker image docker.bintray.io/jfrog/artifactory-oss:latestfrom here
But when deploying I got an error
I tried to create artifactory user by command oc create serviceaccount artifactory and then oc adm policy add-scc-to-user anyuid -z artifactory but has another error:
Error from server (Forbidden): User "xxxx" cannot get securitycontextconstraints at the cluster scope
You need to be cluster admin in order to be able to run:
oc adm policy add-scc-to-user anyuid -z artifactory
This is because it is granting the right to run things as any user ID, including root. This is something that you as a normal user aren't allowed to do.
Further, in OpenShift Online you can only run things in the user ID range you are assigned. You cannot override that, nor will you be granted additional privileges.
You would need to find a version of the image which doesn't require it be run as root and which can run as an arbitrary user ID.
I am struggle with the scc's within OpenShift. All my pods are made with scc: restricted. But now I want some pods in privileged mode.
I tried with this command:
$ oc edit scc privileged
And add serviceaccount and namespace
Als tried to make a new scc with users:
$ oc create -f scc.yaml
But all new pods are still create with scc: restricted :-(
You want to be using oc adm policy add-role-to-user -z default somerole. The question is why you would want to do that. Running containers with root or other elevated privileges is usually a bad idea and unless you have cluster admin access for the OpenShift cluster, you cannot enable such privileges. The need to run with extra privileges is generally indicative of a poorly constructed image. Images should be designed to run as an arbitrary non root user.
I am experimenting with openshift/minishift, I find myself having to run:
oc edit scc privileged
and add:
- system:serviceaccount:default:router
So I can expose the pods. Is there a way to do it in a script?
I know oc adm have some command for policy manipulation but I can't figure out how to add this line.
You can achieve it using oc patch command and with type json. The snippet below will add a new item to array before 0th element. You can try it out with a fake "bla" value etc.
oc patch scc privileged --type=json -p '[{"op": "add", "path": "/users/0", "value":"system:serviceaccount:default:router"}]'
The --type=json will interpret the provided patch as jsonpatch operation. Unfortunately oc patch --help doesn't provide any example for json patch type. Luckily example usage can be found in kubernetes docs: kubectl patch
I have found an example piping to sed Here and adapted it to ruby so I can easily edit the data structure.
oc get scc privileged -o json |\
ruby -rjson -e 'i = JSON.load(STDIN.read); i["users"].push "system:serviceaccount:default:router"; puts i.to_json ' |\
oc replace scc -f -
Here is quick and dirty script to get started with minishift
The easiest way to add and remove users to SCCs from the command line is using the oc adm policy commands:
oc adm policy add-scc-to-user <scc_name> <user_name>
For more info, see this section.
So for your specific use-case, it would be:
oc adm policy add-scc-to-user privileged system:serviceaccount:default:router
I'm surprised its needed though. I use "oc cluster up" normally, but testing with recent minishift, its already added out of the box:
$ minishift start
$ eval $(minishift oc-env)
$ oc login -u system:admin
$ oc get scc privileged -o yaml | grep system:serviceaccount:default:router
- system:serviceaccount:default:router
$ minishift version
minishift v1.14.0+1ec5877
$ oc version
openshift v3.7.1+a8deba5-34