OpenShift Security Operations

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

List All Cluster Role Bindings

 oc get clusterrolebindings

List Role Bindings for a Specific Role

 oc get clusterrolebindings/cluster-admins

List All Project Role Bindings

oc get rolebindings [-n <target-project-name>]

Alternative: 

oc describe policyBindings

Can I?

oc policy can-i

Who Can?

oc policy who-can

Make a User a Cluster Administrator

This command can be used to make regular users cluster administrators: 

oadm policy add-cluster-role-to-user cluster-admin ovidiu

Assign a Cluster Role to an User

oadm policy add-cluster-role-to-user cluster-reader nodev

Enable system:admin Remote Access

Procedure to enable system:admin remote access

OAuth Client Operations

List all OAuth clients: 

oc get oauthclients

List one: 

oc get oauthclient kibana-proxy

oc edit oauthclient kibana-proxy

Secrets Operations

Secrets Operations

Service Account Operations

Service Accounts

Query Service Accounts for a Project

oc get sa

oc get serviceaccount [service-account-name]

List the Secrets associated with a Service Account

oc get sa -o yaml <service-account-name>

apiVersion: v1
kind: ServiceAccount
...
imagePullSecrets:
- name: builder-dockercfg-pgcfb
secrets:
- name: builder-token-04jmh
- name: builder-dockercfg-pgcfb

Link the Secret to a Service Account

Link the Secret to a Service Account

Create a New Service Account

Service accounts can be created as follows: 

echo '{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"registry"}}'  | oc create -n default -f -

Security Context Constraints Operations

https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html

Aslo see:

Security Context Constraints

Get All SCCs

Return all cluster-wide available SCCs. The cluster administrators can execute the command: 

oc get scc

Get a SCC

oc get -o yaml scc/<scc-name>

Create a New SCC

https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#creating-new-security-context-constraints

Update an SCC

https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#updating-security-context-constraints
https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#updating-the-default-security-context-constraints

Delete an SCC

https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#deleting-security-context-constraints

Enable Images to Run with USER in the Dockerfile

https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile

Users and SCCs

Users and groups can be associated administratively with SCCs.

Adding a user to an SCC is done with: 

oadm policy add-user-to-scc <scc_name> <user_name>

Adding a group to an SCC is done with: 

oadm policy add-group-to-scc <scc_name> <group_name>

Service Accounts and SCCs

Service accounts can be associated administratively with SCCs.

Associating a service account with an SCC: 

oc adm policy add-scc-to-user <scc-name> -z <service-account-name>

Disassociating a service account from SCC: 

oc adm policy remove-scc-from-user <scc-name> -z <service-account-name>
Retrieved from "https://kb.novaordis.com/index.php?title=OpenShift_Security_Operations&oldid=37929"