OpenShift Security Operations

From NovaOrdis Knowledge Base
Jump to navigation Jump to search


List All Cluster Role Bindings

 oc get clusterrolebindings

List Role Bindings for a Specific Role

 oc get clusterrolebindings/cluster-admins

List All Project Role Bindings

oc get rolebindings [-n <target-project-name>]


oc describe policyBindings

Can I?

oc policy can-i

Who Can?

oc policy who-can

Make a User a Cluster Administrator

This command can be used to make regular users cluster administrators:

oadm policy add-cluster-role-to-user cluster-admin ovidiu

Assign a Cluster Role to an User

oadm policy add-cluster-role-to-user cluster-reader nodev

Enable system:admin Remote Access

Procedure to enable system:admin remote access

OAuth Client Operations

List all OAuth clients:

oc get oauthclients

List one:

oc get oauthclient kibana-proxy
oc edit oauthclient kibana-proxy

Secrets Operations

Secrets Operations

Service Account Operations

Service Accounts

Query Service Accounts for a Project

oc get sa
oc get serviceaccount [service-account-name]

List the Secrets associated with a Service Account

oc get sa -o yaml <service-account-name>
apiVersion: v1
kind: ServiceAccount
- name: builder-dockercfg-pgcfb
- name: builder-token-04jmh
- name: builder-dockercfg-pgcfb

Link the Secret to a Service Account

Link the Secret to a Service Account

Create a New Service Account

Service accounts can be created as follows:

echo '{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"registry"}}'  | oc create -n default -f -

Security Context Constraints Operations

Aslo see:

Security Context Constraints

Get All SCCs

Return all cluster-wide available SCCs. The cluster administrators can execute the command:

oc get scc

Get a SCC

oc get -o yaml scc/<scc-name>

Create a New SCC

Update an SCC

Delete an SCC

Enable Images to Run with USER in the Dockerfile

Users and SCCs

Users and groups can be associated administratively with SCCs.

Adding a user to an SCC is done with:

oadm policy add-user-to-scc <scc_name> <user_name>

Adding a group to an SCC is done with:

oadm policy add-group-to-scc <scc_name> <group_name>

Service Accounts and SCCs

Service accounts can be associated administratively with SCCs.

Associating a service account with an SCC:

oc adm policy add-scc-to-user <scc-name> -z <service-account-name>

Disassociating a service account from SCC:

oc adm policy remove-scc-from-user <scc-name> -z <service-account-name>