OpenShift Security Operations: Difference between revisions
Jump to navigation
Jump to search
| (40 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
* [[OpenShift Operations#Subjects|OpenShift Operations]] | * [[OpenShift Operations#Subjects|OpenShift Operations]] | ||
* [[OpenShift Security Concepts]] | |||
=List All Cluster Role Bindings= | =List All Cluster Role Bindings= | ||
| Line 32: | Line 33: | ||
oadm policy add-cluster-role-to-user cluster-admin ovidiu | oadm policy add-cluster-role-to-user cluster-admin ovidiu | ||
=Assign a Cluster Role to an User= | |||
oadm policy add-cluster-role-to-user cluster-reader nodev | |||
=Enable system:admin Remote Access= | =Enable system:admin Remote Access= | ||
| Line 49: | Line 54: | ||
oc edit oauthclient kibana-proxy | oc edit oauthclient kibana-proxy | ||
= | =Secrets Operations= | ||
{{Internal|OpenShift Secrets Operations|Secrets Operations}} | |||
=Service Account Operations= | |||
{{Internal|OpenShift_Security_Concepts#Service_Account|Service Accounts}} | |||
== | ==Query Service Accounts for a Project== | ||
oc get sa | |||
oc | |||
oc get serviceaccount [''service-account-name''] | |||
==List the Secrets associated with a Service Account== | |||
oc get sa -o yaml <''service-account-name''> | |||
oc | |||
= | apiVersion: v1 | ||
kind: ServiceAccount | |||
... | |||
<font color=teal>'''imagePullSecrets'''</font>: | |||
- name: builder-dockercfg-pgcfb | |||
<font color=teal>'''secrets'''</font>: | |||
- name: builder-token-04jmh | |||
- name: builder-dockercfg-pgcfb | |||
== | ==Link the Secret to a Service Account== | ||
{{Internal|OpenShift_Security_Operations#Link_the_Secret_to_a_Service_Account|Link the Secret to a Service Account}} | |||
==Create a New Service Account== | ==Create a New Service Account== | ||
| Line 80: | Line 90: | ||
echo '{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"registry"}}' | oc create -n default -f - | echo '{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"registry"}}' | oc create -n default -f - | ||
=Security Context Constraints Operations= | |||
{{External|https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html}} | |||
Aslo see: {{Internal|OpenShift Security Context Constraints#Overview|Security Context Constraints}} | |||
==Get All SCCs== | |||
Return all cluster-wide available SCCs. The cluster administrators can execute the command: | |||
oc get scc | |||
==Get a SCC== | |||
oc get -o yaml scc/<''scc-name''> | |||
==Create a New SCC== | |||
{{External|https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#creating-new-security-context-constraints}} | |||
==Update an SCC== | |||
{{External|https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#updating-security-context-constraints}} | |||
{{External|https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#updating-the-default-security-context-constraints}} | |||
==Delete an SCC== | |||
{{External|https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#deleting-security-context-constraints}} | |||
==Enable Images to Run with USER in the Dockerfile== | |||
{{External|https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile}} | |||
==Users and SCCs== | |||
Users and groups [[OpenShift_Security_Context_Constraints#Security_Context_Constraints_and_Users.2FGroups|can be associated administratively with SCCs]]. | |||
Adding a user to an SCC is done with: | |||
oadm policy add-user-to-scc <''scc_name''> <''user_name''> | |||
Adding a group to an SCC is done with: | |||
oadm policy add-group-to-scc <''scc_name''> <''group_name''> | |||
==Service Accounts and SCCs== | |||
Service accounts [[OpenShift_Security_Context_Constraints#Security_Context_Constraints_and_Service_Accounts|can be associated administratively with SCCs]]. | |||
Associating a service account with an SCC: | |||
oc adm policy add-scc-to-user <''scc-name''> -z <''service-account-name''> | |||
Disassociating a service account from SCC: | |||
oc adm policy remove-scc-from-user <''scc-name''> -z <''service-account-name''> | |||
Latest revision as of 23:30, 12 February 2018
Internal
List All Cluster Role Bindings
oc get clusterrolebindings
List Role Bindings for a Specific Role
oc get clusterrolebindings/cluster-admins
List All Project Role Bindings
oc get rolebindings [-n <target-project-name>]
Alternative:
oc describe policyBindings
Can I?
oc policy can-i
Who Can?
oc policy who-can
Make a User a Cluster Administrator
This command can be used to make regular users cluster administrators:
oadm policy add-cluster-role-to-user cluster-admin ovidiu
Assign a Cluster Role to an User
oadm policy add-cluster-role-to-user cluster-reader nodev
Enable system:admin Remote Access
OAuth Client Operations
List all OAuth clients:
oc get oauthclients
List one:
oc get oauthclient kibana-proxy
oc edit oauthclient kibana-proxy
Secrets Operations
Service Account Operations
Query Service Accounts for a Project
oc get sa
oc get serviceaccount [service-account-name]
List the Secrets associated with a Service Account
oc get sa -o yaml <service-account-name>
apiVersion: v1 kind: ServiceAccount ... imagePullSecrets: - name: builder-dockercfg-pgcfb secrets: - name: builder-token-04jmh - name: builder-dockercfg-pgcfb
Link the Secret to a Service Account
Create a New Service Account
Service accounts can be created as follows:
echo '{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"registry"}}' | oc create -n default -f -
Security Context Constraints Operations
Aslo see:
Get All SCCs
Return all cluster-wide available SCCs. The cluster administrators can execute the command:
oc get scc
Get a SCC
oc get -o yaml scc/<scc-name>
Create a New SCC
Update an SCC
Delete an SCC
Enable Images to Run with USER in the Dockerfile
Users and SCCs
Users and groups can be associated administratively with SCCs.
Adding a user to an SCC is done with:
oadm policy add-user-to-scc <scc_name> <user_name>
Adding a group to an SCC is done with:
oadm policy add-group-to-scc <scc_name> <group_name>
Service Accounts and SCCs
Service accounts can be associated administratively with SCCs.
Associating a service account with an SCC:
oc adm policy add-scc-to-user <scc-name> -z <service-account-name>
Disassociating a service account from SCC:
oc adm policy remove-scc-from-user <scc-name> -z <service-account-name>