OpenShift Security Operations: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(38 intermediate revisions by the same user not shown)
Line 2: Line 2:


* [[OpenShift Operations#Subjects|OpenShift Operations]]
* [[OpenShift Operations#Subjects|OpenShift Operations]]
* [[OpenShift Security Concepts]]


=List All Cluster Role Bindings=
=List All Cluster Role Bindings=
Line 32: Line 33:


  oadm policy add-cluster-role-to-user cluster-admin ovidiu
  oadm policy add-cluster-role-to-user cluster-admin ovidiu
=Assign a Cluster Role to an User=
oadm policy add-cluster-role-to-user cluster-reader nodev


=Enable system:admin Remote Access=
=Enable system:admin Remote Access=
Line 49: Line 54:
  oc edit oauthclient kibana-proxy
  oc edit oauthclient kibana-proxy


='Secret' Operations=
=Secrets Operations=
 
{{Internal|OpenShift Secrets Operations|Secrets Operations}}
 
=Service Account Operations=
 
{{Internal|OpenShift_Security_Concepts#Service_Account|Service Accounts}}
 
==Query Service Accounts for a Project==
 
oc get sa
 
oc get serviceaccount [''service-account-name'']
 
==List the Secrets associated with a Service Account==
 
oc get sa -o yaml <''service-account-name''>
 
apiVersion: v1
kind: ServiceAccount
...
<font color=teal>'''imagePullSecrets'''</font>:
- name: builder-dockercfg-pgcfb
<font color=teal>'''secrets'''</font>:
- name: builder-token-04jmh
- name: builder-dockercfg-pgcfb
 
==Link the Secret to a Service Account==
 
{{Internal|OpenShift_Security_Operations#Link_the_Secret_to_a_Service_Account|Link the Secret to a Service Account}}
 
==Create a New Service Account==
 
[[OpenShift_Security_Concepts#Service_Account|Service accounts]] can be created as follows:
echo '{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"registry"}}' | oc create -n default -f -
 
=Security Context Constraints Operations=
 
{{External|https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html}}
 
Aslo see: {{Internal|OpenShift Security Context Constraints#Overview|Security Context Constraints}}
 
==Get All SCCs==
 
Return all cluster-wide available SCCs. The cluster administrators can execute the command:
 
oc get scc
 
==Get a SCC==
 
oc get -o yaml scc/<''scc-name''>
 
==Create a New SCC==


==List Secrets==
{{External|https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#creating-new-security-context-constraints}}


List all [[OpenShift_Security_Concepts#Secret|secrets]]:
==Update an SCC==


oc get secrets
{{External|https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#updating-security-context-constraints}}
{{External|https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#updating-the-default-security-context-constraints}}


==Create a Secret==
==Delete an SCC==


echo "..." > ./some-data.txt
{{External|https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#deleting-security-context-constraints}}
oc secret new some-secret key_1=some-data.txt


==Extract Data from a Secret==
==Enable Images to Run with USER in the Dockerfile==


Extract data from a given secret:
{{External|https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile}}


cd ~/tmp
==Users and SCCs==
oc extract secret/logging-kibana-proxy [--keys=oauth-secret] --confirm


==Expose as Environment Variable==
Users and groups [[OpenShift_Security_Context_Constraints#Security_Context_Constraints_and_Users.2FGroups|can be associated administratively with SCCs]].


oc env <''target-object''> --from=secret/<''secret-name''> --prefix=DB_
Adding a user to an SCC is done with:


==Expose as a Mounted Volume==
oadm policy add-user-to-scc <''scc_name''> <''user_name''>


oc set volume <''target-object''> --add --overwrite --name=<''some-name''> --mount-path /some-path --secret-name=<''secret-name''>
Adding a group to an SCC is done with:


=Service Account Operations=
oadm policy add-group-to-scc <''scc_name''> <''group_name''>
 
==Service Accounts and SCCs==
 
Service accounts [[OpenShift_Security_Context_Constraints#Security_Context_Constraints_and_Service_Accounts|can be associated administratively with SCCs]].


==Query Service Accounts for a Project==
Associating a service account with an SCC:


  oc get sa
  oc adm policy add-scc-to-user <''scc-name''> -z <''service-account-name''>


==Create a New Service Account==
Disassociating a service account from SCC:


[[OpenShift_Security_Concepts#Service_Account|Service accounts]] can be created as follows:
  oc adm policy remove-scc-from-user <''scc-name''> -z <''service-account-name''>
   
echo '{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"registry"}}' | oc create -n default -f -

Latest revision as of 23:30, 12 February 2018

Internal

List All Cluster Role Bindings

 oc get clusterrolebindings

List Role Bindings for a Specific Role

 oc get clusterrolebindings/cluster-admins

List All Project Role Bindings

oc get rolebindings [-n <target-project-name>]

Alternative: 

oc describe policyBindings

Can I?

oc policy can-i

Who Can?

oc policy who-can

Make a User a Cluster Administrator

This command can be used to make regular users cluster administrators: 

oadm policy add-cluster-role-to-user cluster-admin ovidiu

Assign a Cluster Role to an User

oadm policy add-cluster-role-to-user cluster-reader nodev

Enable system:admin Remote Access

Procedure to enable system:admin remote access

OAuth Client Operations

List all OAuth clients: 

oc get oauthclients

List one: 

oc get oauthclient kibana-proxy

oc edit oauthclient kibana-proxy

Secrets Operations

Secrets Operations

Service Account Operations

Service Accounts

Query Service Accounts for a Project

oc get sa

oc get serviceaccount [service-account-name]

List the Secrets associated with a Service Account

oc get sa -o yaml <service-account-name>

apiVersion: v1
kind: ServiceAccount
...
imagePullSecrets:
- name: builder-dockercfg-pgcfb
secrets:
- name: builder-token-04jmh
- name: builder-dockercfg-pgcfb

Link the Secret to a Service Account

Link the Secret to a Service Account

Create a New Service Account

Service accounts can be created as follows: 

echo '{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"registry"}}'  | oc create -n default -f -

Security Context Constraints Operations

https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html

Aslo see:

Security Context Constraints

Get All SCCs

Return all cluster-wide available SCCs. The cluster administrators can execute the command: 

oc get scc

Get a SCC

oc get -o yaml scc/<scc-name>

Create a New SCC

https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#creating-new-security-context-constraints

Update an SCC

https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#updating-security-context-constraints
https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#updating-the-default-security-context-constraints

Delete an SCC

https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#deleting-security-context-constraints

Enable Images to Run with USER in the Dockerfile

https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile

Users and SCCs

Users and groups can be associated administratively with SCCs.

Adding a user to an SCC is done with: 

oadm policy add-user-to-scc <scc_name> <user_name>

Adding a group to an SCC is done with: 

oadm policy add-group-to-scc <scc_name> <group_name>

Service Accounts and SCCs

Service accounts can be associated administratively with SCCs.

Associating a service account with an SCC: 

oc adm policy add-scc-to-user <scc-name> -z <service-account-name>

Disassociating a service account from SCC: 

oc adm policy remove-scc-from-user <scc-name> -z <service-account-name>
Retrieved from "https://kb.novaordis.com/index.php?title=OpenShift_Security_Operations&oldid=37929"