OpenShift Enable system:admin Remote Access: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
Line 12: Line 12:
=Procedure=
=Procedure=


Log in as a regular user, this will create the [[.kube/config]] structure.
Log in as a regular user, this will create the [[.kube config|.kube/config]] structure.


  oc login
  oc login
Line 21: Line 21:
  Login successful.
  Login successful.


This will create a [[.kube/config]] file.
This will create a [[.kube config|.kube/config]] file.


Log out:
Log out:
Line 27: Line 27:
  [[oc logout]]
  [[oc logout]]


Edit [[.kube/config]] file, replacing the username provided during the last login with "system:admin" as follows:
Edit [[.kube config|.kube/config]] file, replacing the username provided during the last login with "system:admin" as follows:


  apiVersion: v1
  apiVersion: v1

Revision as of 21:39, 7 September 2020

Internal

Overview

This procedure will enable remote access with oc for the cluster administrator.


Upon completing this procedure, the remote Unix account you will be executing the procedure from will have 'system:admin' access to the OpenShift instance. Under some circumstances, this may constitute a security risk.

Procedure

Log in as a regular user, this will create the .kube/config structure.

oc login
Server [https://localhost:8443]: https://master.openshift.example.com
...
Username: ...
...
Login successful.

This will create a .kube/config file.

Log out:

oc logout

Edit .kube/config file, replacing the username provided during the last login with "system:admin" as follows:

apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: https://master.openshift.example.com:443
  name: master-openshift-example-com:443
contexts:
- context:
    cluster: master-openshift-example-com:443
    user: system:admin/master-openshift-example-com:443
  name: /master-openshift-example-com:443/ovidiu
current-context: /master-openshift-example-com:443/system:admin
kind: Config
preferences: {}
users:
- name: system:admin/master-openshift-example-com:443
  user: {}

Access the OpenShift master server and get the 'client-certificate-data' and 'client-key-data' entries from /etc/origin/master/admin.kubeconfig, for the "system:admin" user.

Append them to the local .kube/config as follows:

...
users:
- name: system:admin/master-openshift-example-com:443
  user:
   client-certificate-data: LS0tLS1...
   client-key-data: LS0tLS1...

When the changes are saved, the "system:admin" user is automatically logged in:

oc whoami
system:admin

oc get nodes 
...