OpenShift Enable system:admin Remote Access: Difference between revisions
Jump to navigation
Jump to search
| (14 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
* [[OpenShift Operations#Procedures|OpenShift Operations]] | * [[OpenShift Operations#Procedures|OpenShift Operations]] | ||
* [[Oc_login#Operations|oc login]] | |||
=Overview= | =Overview= | ||
This procedure will enable remote access with [[oc]] for [[OpenShift Security Concepts#The_Cluster_Administrator|the cluster administrator]]. | This procedure will enable remote access with [[oc]] for [[OpenShift Security Concepts#The_Cluster_Administrator|the cluster administrator]]. | ||
{{Warn|Upon completing this procedure, the remote Unix account you will be executing the procedure from will have 'system:admin' access to the OpenShift instance. Under some circumstances, this may constitute a security risk.}} | |||
=Procedure= | =Procedure= | ||
Log in as a regular user, this will create the [[.kube/config]] structure. | Log in as a regular user, this will create the [[.kube config|.kube/config]] structure. | ||
oc login | oc login | ||
Server [https://localhost:8443]: https | Server [https://localhost:8443]: https://master.openshift.example.com | ||
... | ... | ||
Username: ... | Username: ... | ||
... | ... | ||
Login successful. | Login successful. | ||
This will create a [[.kube config|.kube/config]] file. | |||
Log out: | |||
[[oc logout]] | |||
Edit [[.kube config|.kube/config]] file, replacing the username provided during the last login with "system:admin" as follows: | |||
apiVersion: v1 | |||
clusters: | |||
- cluster: | |||
insecure-skip-tls-verify: true | |||
server: https://master.openshift.example.com:443 | |||
name: master-openshift-example-com:443 | |||
contexts: | |||
- context: | |||
cluster: master-openshift-example-com:443 | |||
user: <font color=red>'''system:admin'''</font/>/master-openshift-example-com:443 | |||
name: /master-openshift-example-com:443/ovidiu | |||
current-context: /master-openshift-example-com:443/<font color=red>'''system:admin'''</font/> | |||
kind: Config | |||
preferences: {} | |||
users: | |||
- name: <font color=red>'''system:admin'''</font/>/master-openshift-example-com:443 | |||
user: {} | |||
Access the OpenShift master server and get the 'client-certificate-data' and 'client-key-data' entries from /etc/origin/master/admin.kubeconfig, for the "system:admin" user. | |||
Append them to the local .kube/config as follows: | |||
... | |||
users: | |||
- name: system:admin/master-openshift-example-com:443 | |||
user: | |||
client-certificate-data: LS0tLS1... | |||
client-key-data: LS0tLS1... | |||
When the changes are saved, the "system:admin" user is automatically logged in: | |||
[[oc whoami]] | |||
system:admin | |||
oc get nodes | |||
... | |||
Latest revision as of 00:59, 20 November 2020
Internal
Overview
This procedure will enable remote access with oc for the cluster administrator.
Upon completing this procedure, the remote Unix account you will be executing the procedure from will have 'system:admin' access to the OpenShift instance. Under some circumstances, this may constitute a security risk.
Procedure
Log in as a regular user, this will create the .kube/config structure.
oc login Server [https://localhost:8443]: https://master.openshift.example.com ... Username: ... ... Login successful.
This will create a .kube/config file.
Log out:
oc logout
Edit .kube/config file, replacing the username provided during the last login with "system:admin" as follows:
apiVersion: v1
clusters:
- cluster:
insecure-skip-tls-verify: true
server: https://master.openshift.example.com:443
name: master-openshift-example-com:443
contexts:
- context:
cluster: master-openshift-example-com:443
user: system:admin/master-openshift-example-com:443
name: /master-openshift-example-com:443/ovidiu
current-context: /master-openshift-example-com:443/system:admin
kind: Config
preferences: {}
users:
- name: system:admin/master-openshift-example-com:443
user: {}
Access the OpenShift master server and get the 'client-certificate-data' and 'client-key-data' entries from /etc/origin/master/admin.kubeconfig, for the "system:admin" user.
Append them to the local .kube/config as follows:
... users: - name: system:admin/master-openshift-example-com:443 user: client-certificate-data: LS0tLS1... client-key-data: LS0tLS1...
When the changes are saved, the "system:admin" user is automatically logged in:
oc whoami system:admin oc get nodes ...