はじめに
年末から挑戦しているopenshift namespaceにイメージをインポートするですが
結局失敗ばかりで自プロジェクトにイメージをインポートしておりました。
そこで、目を背けてきたRBACを確認したいと思います。
現在のユーザのできることを確認する(oc policy can-i --list)
OpenShiftにログインして現在のユーザでできることを確認します。
因みにこのコマンドoc policy can-i --listはdeprecatedらしいです。
oc auth can-iを使えって言われてるけど使いません(笑)
まずはsystemから
[tak@centos76 ~]$ oc login $(minishift ip):8443 -u system -p admin
Login successful.
You don't have any projects. You can try to create a new project, by running
oc new-project <projectname>
[tak@centos76 ~]$ oc policy can-i --list
Command "can-i" is deprecated, use 'oc auth can-i'
VERBS NON-RESOURCE URLS RESOURCE NAMES API GROUPS RESOURCES
[create] [] [] [authorization.k8s.io] [selfsubjectaccessreviews]
[create] [] [] [] [selfsubjectrulesreviews]
[create] [] [] [authorization.openshift.io] [selfsubjectrulesreviews]
[create get] [] [] [] [buildconfigs/webhooks]
[create get] [] [] [build.openshift.io] [buildconfigs/webhooks]
[create list] [] [] [] [projectrequests]
[create list] [] [] [project.openshift.io] [projectrequests]
[create] [] [] [] [builds/docker]
[create] [] [] [] [builds/jenkinspipeline]
[create] [] [] [] [builds/optimizeddocker]
[create] [] [] [] [builds/source]
[create] [] [] [authorization.k8s.io] [selfsubjectrulesreviews]
[create] [] [] [build.openshift.io] [builds/docker]
[create] [] [] [build.openshift.io] [builds/jenkinspipeline]
[create] [] [] [build.openshift.io] [builds/optimizeddocker]
[create] [] [] [build.openshift.io] [builds/source]
[delete] [] [] [] [oauthaccesstokens]
[delete] [] [] [] [oauthauthorizetokens]
[delete] [] [] [oauth.openshift.io] [oauthaccesstokens]
[delete] [] [] [oauth.openshift.io] [oauthauthorizetokens]
[get list watch] [] [] [rbac.authorization.k8s.io] [clusterroles]
[get list] [] [] [] [clusterroles]
[get list] [] [] [authorization.openshift.io] [clusterroles]
[get list] [] [] [storage.k8s.io] [storageclasses]
[get] [/.well-known/*] [] [] []
[get] [/.well-known/*] [] [] []
[get] [/.well-known] [] [] []
[get] [/.well-known] [] [] []
[get] [/] [] [] []
[get] [/] [] [] []
[get] [/api/*] [] [] []
[get] [/api/*] [] [] []
[get] [/api/*] [] [] []
[get] [/api] [] [] []
[get] [/api] [] [] []
[get] [/api] [] [] []
[get] [/apis/*] [] [] []
[get] [/apis/*] [] [] []
[get] [/apis/*] [] [] []
[get] [/apis] [] [] []
[get] [/apis] [] [] []
[get] [/apis] [] [] []
[get] [/healthz/*] [] [] []
[get] [/healthz] [] [] []
[get] [/healthz] [] [] []
[get] [/oapi/*] [] [] []
[get] [/oapi/*] [] [] []
[get] [/oapi] [] [] []
[get] [/oapi] [] [] []
[get] [/openapi/*] [] [] []
[get] [/openapi/v2] [] [] []
[get] [/openapi/v2] [] [] []
[get] [/openapi] [] [] []
[get] [/osapi/] [] [] []
[get] [/osapi/] [] [] []
[get] [/osapi] [] [] []
[get] [/osapi] [] [] []
[get] [/swagger-2.0.0.pb-v1] [] [] []
[get] [/swagger-2.0.0.pb-v1] [] [] []
[get] [/swagger-2.0.0.pb-v1] [] [] []
[get] [/swagger.json] [] [] []
[get] [/swagger.json] [] [] []
[get] [/swagger.json] [] [] []
[get] [/swaggerapi/*] [] [] []
[get] [/swaggerapi/*] [] [] []
[get] [/swaggerapi/*] [] [] []
[get] [/swaggerapi] [] [] []
[get] [/swaggerapi] [] [] []
[get] [/swaggerapi] [] [] []
[get] [/version/*] [] [] []
[get] [/version/*] [] [] []
[get] [/version/] [] [] []
[get] [/version] [] [] []
[get] [/version] [] [] []
[get] [/version] [] [] []
[get] [] [~] [] [users]
[get] [] [~] [user.openshift.io] [users]
[impersonate] [] [] [authentication.k8s.io] [userextras/scopes.authorization.openshift.io]
[list watch] [] [] [] [projects]
[list watch] [] [] [project.openshift.io] [projects]
次にDeveloperでopenshift namespaceの権限を確認します。
[tak@centos76 ~]$ oc login $(minishift ip):8443 -u developer
Logged into "https://192.168.42.233:8443" as "developer" using existing credentials.
You have one project on this server: "<your_project>"
Using project "<your_project>".
[tak@centos76 ~]$ oc policy can-i --list -n openshift
Command "can-i" is deprecated, use 'oc auth can-i'
VERBS NON-RESOURCE URLS RESOURCE NAMES API GROUPS RESOURCES
[create] [] [] [authorization.k8s.io] [selfsubjectaccessreviews]
[create] [] [] [] [selfsubjectrulesreviews]
[create] [] [] [authorization.openshift.io] [selfsubjectrulesreviews]
[create get] [] [] [] [buildconfigs/webhooks]
[create get] [] [] [build.openshift.io] [buildconfigs/webhooks]
[create] [] [] [] [builds/docker]
[create] [] [] [] [builds/jenkinspipeline]
[create] [] [] [] [builds/optimizeddocker]
[create] [] [] [] [builds/source]
[create] [] [] [authorization.k8s.io] [selfsubjectrulesreviews]
[create] [] [] [build.openshift.io] [builds/docker]
[create] [] [] [build.openshift.io] [builds/jenkinspipeline]
[create] [] [] [build.openshift.io] [builds/optimizeddocker]
[create] [] [] [build.openshift.io] [builds/source]
[delete] [] [] [] [oauthaccesstokens]
[delete] [] [] [] [oauthauthorizetokens]
[delete] [] [] [oauth.openshift.io] [oauthaccesstokens]
[delete] [] [] [oauth.openshift.io] [oauthauthorizetokens]
[get list watch] [] [] [] [imagestreamimages]
[get list watch] [] [] [] [imagestreams]
[get list watch] [] [] [] [imagestreamtags]
[get list watch] [] [] [] [templates]
[get list watch] [] [] [image.openshift.io] [imagestreamimages]
[get list watch] [] [] [image.openshift.io] [imagestreams]
[get list watch] [] [] [image.openshift.io] [imagestreamtags]
[get list watch] [] [] [rbac.authorization.k8s.io] [clusterroles]
[get list watch] [] [] [template.openshift.io] [templates]
[get list] [] [] [] [clusterroles]
[get list] [] [] [authorization.openshift.io] [clusterroles]
[get list] [] [] [storage.k8s.io] [storageclasses]
[get] [/.well-known/*] [] [] []
[get] [/.well-known/*] [] [] []
[get] [/.well-known] [] [] []
[get] [/.well-known] [] [] []
[get] [/] [] [] []
[get] [/] [] [] []
[get] [/api/*] [] [] []
[get] [/api/*] [] [] []
[get] [/api/*] [] [] []
[get] [/api] [] [] []
[get] [/api] [] [] []
[get] [/api] [] [] []
[get] [/apis/*] [] [] []
[get] [/apis/*] [] [] []
[get] [/apis/*] [] [] []
[get] [/apis] [] [] []
[get] [/apis] [] [] []
[get] [/apis] [] [] []
[get] [/healthz/*] [] [] []
[get] [/healthz] [] [] []
[get] [/healthz] [] [] []
[get] [/oapi/*] [] [] []
[get] [/oapi/*] [] [] []
[get] [/oapi] [] [] []
[get] [/oapi] [] [] []
[get] [/openapi/*] [] [] []
[get] [/openapi/v2] [] [] []
[get] [/openapi/v2] [] [] []
[get] [/openapi] [] [] []
[get] [/osapi/] [] [] []
[get] [/osapi/] [] [] []
[get] [/osapi] [] [] []
[get] [/osapi] [] [] []
[get] [/swagger-2.0.0.pb-v1] [] [] []
[get] [/swagger-2.0.0.pb-v1] [] [] []
[get] [/swagger-2.0.0.pb-v1] [] [] []
[get] [/swagger.json] [] [] []
[get] [/swagger.json] [] [] []
[get] [/swagger.json] [] [] []
[get] [/swaggerapi/*] [] [] []
[get] [/swaggerapi/*] [] [] []
[get] [/swaggerapi/*] [] [] []
[get] [/swaggerapi] [] [] []
[get] [/swaggerapi] [] [] []
[get] [/swaggerapi] [] [] []
[get] [/version/*] [] [] []
[get] [/version/*] [] [] []
[get] [/version/] [] [] []
[get] [/version] [] [] []
[get] [/version] [] [] []
[get] [/version] [] [] []
[get] [] [] [] [imagestreams/layers]
[get] [] [~] [] [users]
[get] [] [] [image.openshift.io] [imagestreams/layers]
[get] [] [~] [user.openshift.io] [users]
[impersonate] [] [] [authentication.k8s.io] [userextras/scopes.authorization.openshift.io]
[create list] [] [] [] [projectrequests]
[create list] [] [] [project.openshift.io] [projectrequests]
[list watch] [] [] [] [projects]
[list watch] [] [] [project.openshift.io] [projects]
次にDeveloperで自プロジェクト<your_project>のnamespaceの権限を確認します。
[tak@centos76 ~]$ oc login $(minishift ip):8443 -u developer
Logged into "https://192.168.42.233:8443" as "developer" using existing credentials.
You have one project on this server: "<your_project>"
Using project "<your_project>".
[tak@centos76 ~]$ oc policy can-i --list -n <your_project>
Command "can-i" is deprecated, use 'oc auth can-i'
VERBS NON-RESOURCE URLS RESOURCE NAMES API GROUPS RESOURCES
[admin edit view] [] [] [build.openshift.io] [jenkins]
[create] [] [] [authorization.k8s.io] [selfsubjectaccessreviews]
[create] [] [] [] [selfsubjectrulesreviews]
[create] [] [] [authorization.openshift.io] [selfsubjectrulesreviews]
[create delete deletecollection get list patch update watch] [] [] [extensions] [networkpolicies]
[create delete deletecollection get list patch update watch] [] [] [networking.k8s.io] [networkpolicies]
[create delete deletecollection get impersonate list patch update watch] [] [] [] [serviceaccounts]
[create delete deletecollection get list patch update watch] [] [] [] [buildconfigs]
[create delete deletecollection get list patch update watch] [] [] [] [buildlogs]
[create delete deletecollection get list patch update watch] [] [] [] [builds]
[create delete deletecollection get list patch update watch] [] [] [] [configmaps]
[create delete deletecollection get list patch update watch] [] [] [] [deploymentconfigs/scale]
[create delete deletecollection get list patch update watch] [] [] [] [deploymentconfigs]
[create delete deletecollection get list patch update watch] [] [] [] [endpoints]
[create delete deletecollection get list patch update watch] [] [] [] [imagestreamimages]
[create delete deletecollection get list patch update watch] [] [] [] [imagestreammappings]
[create delete deletecollection get list patch update watch] [] [] [] [imagestreams/secrets]
[create delete deletecollection get list patch update watch] [] [] [] [imagestreams]
[create delete deletecollection get list patch update watch] [] [] [] [imagestreamtags]
[create delete deletecollection get list patch update watch] [] [] [] [persistentvolumeclaims]
[create delete deletecollection get list patch update watch] [] [] [] [pods/attach]
[create delete deletecollection get list patch update watch] [] [] [] [pods/exec]
[create delete deletecollection get list patch update watch] [] [] [] [pods/portforward]
[create delete deletecollection get list patch update watch] [] [] [] [pods/proxy]
[create delete deletecollection get list patch update watch] [] [] [] [pods]
[create delete deletecollection get list patch update watch] [] [] [] [processedtemplates]
[create delete deletecollection get list patch update watch] [] [] [] [replicationcontrollers/scale]
[create delete deletecollection get list patch update watch] [] [] [] [replicationcontrollers]
[create delete deletecollection get list patch update watch] [] [] [] [rolebindings]
[create delete deletecollection get list patch update watch] [] [] [] [roles]
[create delete deletecollection get list patch update watch] [] [] [] [routes]
[create delete deletecollection get list patch update watch] [] [] [] [secrets]
[create delete deletecollection get list patch update watch] [] [] [] [services/proxy]
[create delete deletecollection get list patch update watch] [] [] [] [services]
[create delete deletecollection get list patch update watch] [] [] [] [templateconfigs]
[create delete deletecollection get list patch update watch] [] [] [] [templateinstances]
[create delete deletecollection get list patch update watch] [] [] [] [templates]
[create delete deletecollection get list patch update watch] [] [] [apps.openshift.io] [deploymentconfigs/scale]
[create delete deletecollection get list patch update watch] [] [] [apps.openshift.io] [deploymentconfigs]
[create delete deletecollection get list patch update watch] [] [] [apps] [daemonsets]
[create delete deletecollection get list patch update watch] [] [] [apps] [deployments/rollback]
[create delete deletecollection get list patch update watch] [] [] [apps] [deployments/scale]
[create delete deletecollection get list patch update watch] [] [] [apps] [deployments]
[create delete deletecollection get list patch update watch] [] [] [apps] [replicasets/scale]
[create delete deletecollection get list patch update watch] [] [] [apps] [replicasets]
[create delete deletecollection get list patch update watch] [] [] [apps] [statefulsets/scale]
[create delete deletecollection get list patch update watch] [] [] [apps] [statefulsets]
[create delete deletecollection get list patch update watch] [] [] [authorization.openshift.io] [rolebindings]
[create delete deletecollection get list patch update watch] [] [] [authorization.openshift.io] [roles]
[create delete deletecollection get list patch update watch] [] [] [autoscaling] [horizontalpodautoscalers]
[create delete deletecollection get list patch update watch] [] [] [batch] [cronjobs]
[create delete deletecollection get list patch update watch] [] [] [batch] [jobs]
[create delete deletecollection get list patch update watch] [] [] [build.openshift.io] [buildconfigs]
[create delete deletecollection get list patch update watch] [] [] [build.openshift.io] [buildlogs]
[create delete deletecollection get list patch update watch] [] [] [build.openshift.io] [builds]
[create delete deletecollection get list patch update watch] [] [] [extensions] [daemonsets]
[create delete deletecollection get list patch update watch] [] [] [extensions] [deployments/rollback]
[create delete deletecollection get list patch update watch] [] [] [extensions] [deployments/scale]
[create delete deletecollection get list patch update watch] [] [] [extensions] [deployments]
[create delete deletecollection get list patch update watch] [] [] [extensions] [ingresses]
[create delete deletecollection get list patch update watch] [] [] [extensions] [replicasets/scale]
[create delete deletecollection get list patch update watch] [] [] [extensions] [replicasets]
[create delete deletecollection get list patch update watch] [] [] [extensions] [replicationcontrollers/scale]
[create delete deletecollection get list patch update watch] [] [] [image.openshift.io] [imagestreamimages]
[create delete deletecollection get list patch update watch] [] [] [image.openshift.io] [imagestreammappings]
[create delete deletecollection get list patch update watch] [] [] [image.openshift.io] [imagestreams/secrets]
[create delete deletecollection get list patch update watch] [] [] [image.openshift.io] [imagestreams]
[create delete deletecollection get list patch update watch] [] [] [image.openshift.io] [imagestreamtags]
[create delete deletecollection get list patch update watch] [] [] [policy] [poddisruptionbudgets]
[create delete deletecollection get list patch update watch] [] [] [rbac.authorization.k8s.io] [rolebindings]
[create delete deletecollection get list patch update watch] [] [] [rbac.authorization.k8s.io] [roles]
[create delete deletecollection get list patch update watch] [] [] [route.openshift.io] [routes]
[create delete deletecollection get list patch update watch] [] [] [template.openshift.io] [processedtemplates]
[create delete deletecollection get list patch update watch] [] [] [template.openshift.io] [templateconfigs]
[create delete deletecollection get list patch update watch] [] [] [template.openshift.io] [templateinstances]
[create delete deletecollection get list patch update watch] [] [] [template.openshift.io] [templates]
[create delete deletecollection get list patch update watch] [] [] [] [buildconfigs/webhooks]
[create delete deletecollection get list patch update watch] [] [] [build.openshift.io] [buildconfigs/webhooks]
[create] [] [] [] [buildconfigs/instantiate]
[create] [] [] [] [buildconfigs/instantiatebinary]
[create] [] [] [] [builds/clone]
[create] [] [] [] [builds/docker]
[create] [] [] [] [builds/jenkinspipeline]
[create] [] [] [] [builds/optimizeddocker]
[create] [] [] [] [builds/source]
[create] [] [] [] [deploymentconfigrollbacks]
[create] [] [] [] [deploymentconfigs/instantiate]
[create] [] [] [] [deploymentconfigs/rollback]
[create] [] [] [] [imagestreamimports]
[create] [] [] [] [localresourceaccessreviews]
[create] [] [] [] [localsubjectaccessreviews]
[create] [] [] [] [podsecuritypolicyreviews]
[create] [] [] [] [podsecuritypolicyselfsubjectreviews]
[create] [] [] [] [podsecuritypolicysubjectreviews]
[create] [] [] [] [resourceaccessreviews]
[create] [] [] [] [routes/custom-host]
[create] [] [] [] [subjectaccessreviews]
[create] [] [] [] [subjectrulesreviews]
[create] [] [] [apps.openshift.io] [deploymentconfigrollbacks]
[create] [] [] [apps.openshift.io] [deploymentconfigs/instantiate]
[create] [] [] [apps.openshift.io] [deploymentconfigs/rollback]
[create] [] [] [authorization.k8s.io] [localsubjectaccessreviews]
[create] [] [] [authorization.k8s.io] [selfsubjectrulesreviews]
[create] [] [] [authorization.openshift.io] [localresourceaccessreviews]
[create] [] [] [authorization.openshift.io] [localsubjectaccessreviews]
[create] [] [] [authorization.openshift.io] [resourceaccessreviews]
[create] [] [] [authorization.openshift.io] [subjectaccessreviews]
[create] [] [] [authorization.openshift.io] [subjectrulesreviews]
[create] [] [] [build.openshift.io] [buildconfigs/instantiate]
[create] [] [] [build.openshift.io] [buildconfigs/instantiatebinary]
[create] [] [] [build.openshift.io] [builds/clone]
[create] [] [] [build.openshift.io] [builds/docker]
[create] [] [] [build.openshift.io] [builds/jenkinspipeline]
[create] [] [] [build.openshift.io] [builds/optimizeddocker]
[create] [] [] [build.openshift.io] [builds/source]
[create] [] [] [image.openshift.io] [imagestreamimports]
[create] [] [] [route.openshift.io] [routes/custom-host]
[create] [] [] [security.openshift.io] [podsecuritypolicyreviews]
[create] [] [] [security.openshift.io] [podsecuritypolicyselfsubjectreviews]
[create] [] [] [security.openshift.io] [podsecuritypolicysubjectreviews]
[delete] [] [] [] [oauthaccesstokens]
[delete] [] [] [] [oauthauthorizetokens]
[delete] [] [] [oauth.openshift.io] [oauthaccesstokens]
[delete] [] [] [oauth.openshift.io] [oauthauthorizetokens]
[get list update watch] [] [] [] [routes/status]
[get list update watch] [] [] [route.openshift.io] [routes/status]
[get list watch] [] [] [] [appliedclusterresourcequotas]
[get list watch] [] [] [] [bindings]
[get list watch] [] [] [] [builds/log]
[get list watch] [] [] [] [deploymentconfigs/log]
[get list watch] [] [] [] [deploymentconfigs/status]
[get list watch] [] [] [] [events]
[get list watch] [] [] [] [imagestreams/status]
[get list watch] [] [] [] [limitranges]
[get list watch] [] [] [] [namespaces/status]
[get list watch] [] [] [] [namespaces]
[get list watch] [] [] [] [pods/log]
[get list watch] [] [] [] [pods/status]
[get list watch] [] [] [] [replicationcontrollers/status]
[get list watch] [] [] [] [resourcequotas/status]
[get list watch] [] [] [] [resourcequotas]
[get list watch] [] [] [] [resourcequotausages]
[get list watch] [] [] [] [rolebindingrestrictions]
[get list watch] [] [] [apps.openshift.io] [deploymentconfigs/log]
[get list watch] [] [] [apps.openshift.io] [deploymentconfigs/status]
[get list watch] [] [] [authorization.openshift.io] [rolebindingrestrictions]
[get list watch] [] [] [build.openshift.io] [builds/log]
[get list watch] [] [] [image.openshift.io] [imagestreams/status]
[get list watch] [] [] [quota.openshift.io] [appliedclusterresourcequotas]
[get list watch] [] [] [rbac.authorization.k8s.io] [clusterroles]
[get list] [] [] [] [clusterroles]
[get list] [] [] [authorization.openshift.io] [clusterroles]
[get list] [] [] [storage.k8s.io] [storageclasses]
[get update] [] [] [] [imagestreams/layers]
[get update] [] [] [image.openshift.io] [imagestreams/layers]
[get] [/.well-known/*] [] [] []
[get] [/.well-known/*] [] [] []
[get] [/.well-known] [] [] []
[get] [/.well-known] [] [] []
[get] [/] [] [] []
[get] [/] [] [] []
[get] [/api/*] [] [] []
[get] [/api/*] [] [] []
[get] [/api/*] [] [] []
[get] [/api] [] [] []
[get] [/api] [] [] []
[get] [/api] [] [] []
[get] [/apis/*] [] [] []
[get] [/apis/*] [] [] []
[get] [/apis/*] [] [] []
[get] [/apis] [] [] []
[get] [/apis] [] [] []
[get] [/apis] [] [] []
[get] [/healthz/*] [] [] []
[get] [/healthz] [] [] []
[get] [/healthz] [] [] []
[get] [/oapi/*] [] [] []
[get] [/oapi/*] [] [] []
[get] [/oapi] [] [] []
[get] [/oapi] [] [] []
[get] [/openapi/*] [] [] []
[get] [/openapi/v2] [] [] []
[get] [/openapi/v2] [] [] []
[get] [/openapi] [] [] []
[get] [/osapi/] [] [] []
[get] [/osapi/] [] [] []
[get] [/osapi] [] [] []
[get] [/osapi] [] [] []
[get] [/swagger-2.0.0.pb-v1] [] [] []
[get] [/swagger-2.0.0.pb-v1] [] [] []
[get] [/swagger-2.0.0.pb-v1] [] [] []
[get] [/swagger.json] [] [] []
[get] [/swagger.json] [] [] []
[get] [/swagger.json] [] [] []
[get] [/swaggerapi/*] [] [] []
[get] [/swaggerapi/*] [] [] []
[get] [/swaggerapi/*] [] [] []
[get] [/swaggerapi] [] [] []
[get] [/swaggerapi] [] [] []
[get] [/swaggerapi] [] [] []
[get] [/version/*] [] [] []
[get] [/version/*] [] [] []
[get] [/version/] [] [] []
[get] [/version] [] [] []
[get] [/version] [] [] []
[get] [/version] [] [] []
[get] [] [~] [] [users]
[get] [] [~] [user.openshift.io] [users]
[impersonate] [] [] [authentication.k8s.io] [userextras/scopes.authorization.openshift.io]
[create list] [] [] [] [projectrequests]
[create list] [] [] [project.openshift.io] [projectrequests]
[delete get list patch update watch] [] [] [] [projects]
[delete get list patch update watch] [] [] [project.openshift.io] [projects]
[update] [] [] [] [builds/details]
[update] [] [] [build.openshift.io] [builds/details]
自プロジェクトの場合、権限が増えていますね。
特にimage.openshift.ioのimagestreamsに対してcreate権限があるのでイメージがインポートできるんでしょうね。
[create delete deletecollection get list patch update watch] [] [] [image.openshift.io] [imagestreams]
権限の種類を確認する(oc get clusterrole.rbac)
system以外のクラスタ全体で利用できるロールを確認します。
[tak@centos76 ~]$ oc get clusterrole.rbac | grep -v system:
NAME AGE
admin 1d
basic-user 1d
cluster-admin 1d
cluster-debugger 1d
cluster-reader 1d
cluster-status 1d
edit 1d
registry-admin 1d
registry-editor 1d
registry-viewer 1d
self-access-reviewer 1d
self-provisioner 1d
storage-admin 1d
sudoer 1d
view 1d
adminロールの権限を確認する。
[tak@centos76 ~]$ oc describe clusterrole.rbac admin
Name: admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: openshift.io/description=A user that has edit rights within the project and can change the project's membership.
rbac.authorization.kubernetes.io/autoupdate=true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
jenkins.build.openshift.io [] [] [admin edit view]
networkpolicies.extensions [] [] [create delete deletecollection get list patch update watch create delete deletecollection get list patch update watch]
networkpolicies.networking.k8s.io [] [] [create delete deletecollection get list patch update watch create delete deletecollection get list patch update watch]
serviceaccounts [] [] [create delete deletecollection get list patch update watch impersonate]
buildconfigs/webhooks [] [] [create delete deletecollection get list patch update watch]
buildconfigs [] [] [create delete deletecollection get list patch update watch]
buildlogs [] [] [create delete deletecollection get list patch update watch]
builds [] [] [create delete deletecollection get list patch update watch]
configmaps [] [] [create delete deletecollection get list patch update watch]
deploymentconfigs/scale [] [] [create delete deletecollection get list patch update watch]
deploymentconfigs [] [] [create delete deletecollection get list patch update watch]
endpoints [] [] [create delete deletecollection get list patch update watch]
imagestreamimages [] [] [create delete deletecollection get list patch update watch]
imagestreammappings [] [] [create delete deletecollection get list patch update watch]
imagestreams/secrets [] [] [create delete deletecollection get list patch update watch]
imagestreams [] [] [create delete deletecollection get list patch update watch]
imagestreamtags [] [] [create delete deletecollection get list patch update watch]
persistentvolumeclaims [] [] [create delete deletecollection get list patch update watch]
pods/attach [] [] [create delete deletecollection get list patch update watch]
pods/exec [] [] [create delete deletecollection get list patch update watch]
pods/portforward [] [] [create delete deletecollection get list patch update watch]
pods/proxy [] [] [create delete deletecollection get list patch update watch]
pods [] [] [create delete deletecollection get list patch update watch]
processedtemplates [] [] [create delete deletecollection get list patch update watch]
replicationcontrollers/scale [] [] [create delete deletecollection get list patch update watch]
replicationcontrollers [] [] [create delete deletecollection get list patch update watch]
rolebindings [] [] [create delete deletecollection get list patch update watch]
roles [] [] [create delete deletecollection get list patch update watch]
routes [] [] [create delete deletecollection get list patch update watch]
secrets [] [] [create delete deletecollection get list patch update watch]
services/proxy [] [] [create delete deletecollection get list patch update watch]
services [] [] [create delete deletecollection get list patch update watch]
templateconfigs [] [] [create delete deletecollection get list patch update watch]
templateinstances [] [] [create delete deletecollection get list patch update watch]
templates [] [] [create delete deletecollection get list patch update watch]
deploymentconfigs.apps.openshift.io/scale [] [] [create delete deletecollection get list patch update watch]
deploymentconfigs.apps.openshift.io [] [] [create delete deletecollection get list patch update watch]
daemonsets.apps [] [] [create delete deletecollection get list patch update watch]
deployments.apps/rollback [] [] [create delete deletecollection get list patch update watch]
deployments.apps/scale [] [] [create delete deletecollection get list patch update watch]
deployments.apps [] [] [create delete deletecollection get list patch update watch]
replicasets.apps/scale [] [] [create delete deletecollection get list patch update watch]
replicasets.apps [] [] [create delete deletecollection get list patch update watch]
statefulsets.apps/scale [] [] [create delete deletecollection get list patch update watch]
statefulsets.apps [] [] [create delete deletecollection get list patch update watch]
rolebindings.authorization.openshift.io [] [] [create delete deletecollection get list patch update watch]
roles.authorization.openshift.io [] [] [create delete deletecollection get list patch update watch]
horizontalpodautoscalers.autoscaling [] [] [create delete deletecollection get list patch update watch]
cronjobs.batch [] [] [create delete deletecollection get list patch update watch]
jobs.batch [] [] [create delete deletecollection get list patch update watch]
buildconfigs.build.openshift.io/webhooks [] [] [create delete deletecollection get list patch update watch]
buildconfigs.build.openshift.io [] [] [create delete deletecollection get list patch update watch]
buildlogs.build.openshift.io [] [] [create delete deletecollection get list patch update watch]
builds.build.openshift.io [] [] [create delete deletecollection get list patch update watch]
daemonsets.extensions [] [] [create delete deletecollection get list patch update watch]
deployments.extensions/rollback [] [] [create delete deletecollection get list patch update watch]
deployments.extensions/scale [] [] [create delete deletecollection get list patch update watch]
deployments.extensions [] [] [create delete deletecollection get list patch update watch]
ingresses.extensions [] [] [create delete deletecollection get list patch update watch]
replicasets.extensions/scale [] [] [create delete deletecollection get list patch update watch]
replicasets.extensions [] [] [create delete deletecollection get list patch update watch]
replicationcontrollers.extensions/scale [] [] [create delete deletecollection get list patch update watch]
imagestreamimages.image.openshift.io [] [] [create delete deletecollection get list patch update watch]
imagestreammappings.image.openshift.io [] [] [create delete deletecollection get list patch update watch]
imagestreams.image.openshift.io/secrets [] [] [create delete deletecollection get list patch update watch]
imagestreams.image.openshift.io [] [] [create delete deletecollection get list patch update watch]
imagestreamtags.image.openshift.io [] [] [create delete deletecollection get list patch update watch]
poddisruptionbudgets.policy [] [] [create delete deletecollection get list patch update watch]
rolebindings.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch]
roles.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch]
routes.route.openshift.io [] [] [create delete deletecollection get list patch update watch]
processedtemplates.template.openshift.io [] [] [create delete deletecollection get list patch update watch]
templateconfigs.template.openshift.io [] [] [create delete deletecollection get list patch update watch]
templateinstances.template.openshift.io [] [] [create delete deletecollection get list patch update watch]
templates.template.openshift.io [] [] [create delete deletecollection get list patch update watch]
buildconfigs/instantiate [] [] [create]
buildconfigs/instantiatebinary [] [] [create]
builds/clone [] [] [create]
deploymentconfigrollbacks [] [] [create]
deploymentconfigs/instantiate [] [] [create]
deploymentconfigs/rollback [] [] [create]
imagestreamimports [] [] [create]
localresourceaccessreviews [] [] [create]
localsubjectaccessreviews [] [] [create]
podsecuritypolicyreviews [] [] [create]
podsecuritypolicyselfsubjectreviews [] [] [create]
podsecuritypolicysubjectreviews [] [] [create]
resourceaccessreviews [] [] [create]
routes/custom-host [] [] [create]
subjectaccessreviews [] [] [create]
subjectrulesreviews [] [] [create]
deploymentconfigrollbacks.apps.openshift.io [] [] [create]
deploymentconfigs.apps.openshift.io/instantiate [] [] [create]
deploymentconfigs.apps.openshift.io/rollback [] [] [create]
localsubjectaccessreviews.authorization.k8s.io [] [] [create]
localresourceaccessreviews.authorization.openshift.io [] [] [create]
localsubjectaccessreviews.authorization.openshift.io [] [] [create]
resourceaccessreviews.authorization.openshift.io [] [] [create]
subjectaccessreviews.authorization.openshift.io [] [] [create]
subjectrulesreviews.authorization.openshift.io [] [] [create]
buildconfigs.build.openshift.io/instantiate [] [] [create]
buildconfigs.build.openshift.io/instantiatebinary [] [] [create]
builds.build.openshift.io/clone [] [] [create]
imagestreamimports.image.openshift.io [] [] [create]
routes.route.openshift.io/custom-host [] [] [create]
podsecuritypolicyreviews.security.openshift.io [] [] [create]
podsecuritypolicyselfsubjectreviews.security.openshift.io [] [] [create]
podsecuritypolicysubjectreviews.security.openshift.io [] [] [create]
projects [] [] [delete get patch update]
projects.project.openshift.io [] [] [delete get patch update]
routes/status [] [] [get list watch update]
routes.route.openshift.io/status [] [] [get list watch update]
appliedclusterresourcequotas [] [] [get list watch]
bindings [] [] [get list watch]
builds/log [] [] [get list watch]
deploymentconfigs/log [] [] [get list watch]
deploymentconfigs/status [] [] [get list watch]
events [] [] [get list watch]
imagestreams/status [] [] [get list watch]
limitranges [] [] [get list watch]
namespaces/status [] [] [get list watch]
namespaces [] [] [get list watch]
pods/log [] [] [get list watch]
pods/status [] [] [get list watch]
replicationcontrollers/status [] [] [get list watch]
resourcequotas/status [] [] [get list watch]
resourcequotas [] [] [get list watch]
resourcequotausages [] [] [get list watch]
rolebindingrestrictions [] [] [get list watch]
deploymentconfigs.apps.openshift.io/log [] [] [get list watch]
deploymentconfigs.apps.openshift.io/status [] [] [get list watch]
rolebindingrestrictions.authorization.openshift.io [] [] [get list watch]
builds.build.openshift.io/log [] [] [get list watch]
imagestreams.image.openshift.io/status [] [] [get list watch]
appliedclusterresourcequotas.quota.openshift.io [] [] [get list watch]
imagestreams/layers [] [] [get update]
imagestreams.image.openshift.io/layers [] [] [get update]
builds/details [] [] [update]
builds.build.openshift.io/details [] [] [update]
↓があるのでsystemにadminロールを与えたら出来そうですけどね。
imagestreams [] [] [create delete deletecollection get list patch update watch]
権限を与える(oc adm policy add-role-to-user)
安直にsystemにadminロールを付与してみます(笑)
[tak@centos76 ~]$ oc login $(minishift ip):8443 -u system -p admin
Login successful.
You don't have any projects. You can try to create a new project, by running
oc new-project <projectname>
[tak@centos76 ~]$ oc adm policy add-role-to-user admin system
Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io is forbidden: User "system" cannot list rolebindings.rbac.authorization.k8s.io in the namespace "default": no RBAC policy matched
一体だれが権限をもっているんでしょうかね?
systemより強いユーザって( ;∀;)
って事で更なる捜索の旅に出ました。
minishitのaddons(admin-user)
OKD Latest > Minishift > Using Minishift > Add-ons
デフォルトでは以下のようなAddonsが入っているそうな
その中でも一際輝いて見えるのがadmin-userです。
これは期待大
| Add-on Name | Description |
|---|---|
| anyuid | Changes the default security context constraints to allow pods to run with arbitrary UID. |
| admin-user | Creates a user named 'admin' and assigns the cluster-admin role to it. |
| registry-route | Creates an edge terminated route for the OpenShift registry. |
| htpasswd-identity-provider | User can change and add default login username and password for the OpenShift instance. |
| admissions-webhook | Enables validating and mutating admission webhooks. |
| xpaas | Imports xPaaS templates. |
| redhat-registry-login | Creates secret to access images on registry.redhat.io. |
| che | Deploy che on the Minishift. |
admin-user :
Creates a user named 'admin' and assigns the cluster-admin role to it.
正に望んでいた最強権限のユーザadmin誕生のAdd-onですね(^^♪
minishiftのAdd-onを設定する
$ minishift addons enable admin-user
Add-on 'admin-user' enabled
Addonsの状況を確認します。
$ minishift addons list
- admin-user : enabled P(0)
- admissions-webhook : disabled P(0)
- anyuid : disabled P(0)
- che : disabled P(0)
- redhat-registry-login : disabled P(0)
- registry-route : disabled P(0)
- htpasswd-identity-provider : disabled P(0)
- xpaas : disabled P(0)
cluster-adminのadminでログイン
いよいよ'admin'でログインします。
[tak@centos76 ~]$ oc login $(minishift ip):8443 -u admin
Authentication required for https://192.168.42.233:8443 (openshift)
Username: admin
Password: <任意のPassword>
Login successful.
You don't have any projects. You can try to create a new project, by running
oc new-project <projectname>
adminの権限を確認する。
[tak@centos76 ~]$ oc policy can-i --list -n openshift
Command "can-i" is deprecated, use 'oc auth can-i'
VERBS NON-RESOURCE URLS RESOURCE NAMES API GROUPS RESOURCES
[create] [] [] [authorization.k8s.io] [selfsubjectaccessreviews]
[create] [] [] [] [selfsubjectrulesreviews]
[create] [] [] [authorization.openshift.io] [selfsubjectrulesreviews]
[create get] [] [] [] [buildconfigs/webhooks]
[create get] [] [] [build.openshift.io] [buildconfigs/webhooks]
[create list] [] [] [] [projectrequests]
[create list] [] [] [project.openshift.io] [projectrequests]
[create] [] [] [] [builds/docker]
[create] [] [] [] [builds/jenkinspipeline]
[create] [] [] [] [builds/optimizeddocker]
[create] [] [] [] [builds/source]
[create] [] [] [authorization.k8s.io] [selfsubjectrulesreviews]
[create] [] [] [build.openshift.io] [builds/docker]
[create] [] [] [build.openshift.io] [builds/jenkinspipeline]
[create] [] [] [build.openshift.io] [builds/optimizeddocker]
[create] [] [] [build.openshift.io] [builds/source]
[delete] [] [] [] [oauthaccesstokens]
[delete] [] [] [] [oauthauthorizetokens]
[delete] [] [] [oauth.openshift.io] [oauthaccesstokens]
[delete] [] [] [oauth.openshift.io] [oauthauthorizetokens]
[get list watch] [] [] [] [imagestreamimages]
[get list watch] [] [] [] [imagestreams]
[get list watch] [] [] [] [imagestreamtags]
[get list watch] [] [] [] [templates]
[get list watch] [] [] [image.openshift.io] [imagestreamimages]
[get list watch] [] [] [image.openshift.io] [imagestreams]
[get list watch] [] [] [image.openshift.io] [imagestreamtags]
[get list watch] [] [] [rbac.authorization.k8s.io] [clusterroles]
[get list watch] [] [] [template.openshift.io] [templates]
[get list] [] [] [] [clusterroles]
[get list] [] [] [authorization.openshift.io] [clusterroles]
[get list] [] [] [storage.k8s.io] [storageclasses]
[get] [/.well-known/*] [] [] []
[get] [/.well-known/*] [] [] []
[get] [/.well-known] [] [] []
[get] [/.well-known] [] [] []
[get] [/] [] [] []
[get] [/] [] [] []
[get] [/api/*] [] [] []
[get] [/api/*] [] [] []
[get] [/api/*] [] [] []
[get] [/api] [] [] []
[get] [/api] [] [] []
[get] [/api] [] [] []
[get] [/apis/*] [] [] []
[get] [/apis/*] [] [] []
[get] [/apis/*] [] [] []
[get] [/apis] [] [] []
[get] [/apis] [] [] []
[get] [/apis] [] [] []
[get] [/healthz/*] [] [] []
[get] [/healthz] [] [] []
[get] [/healthz] [] [] []
[get] [/oapi/*] [] [] []
[get] [/oapi/*] [] [] []
[get] [/oapi] [] [] []
[get] [/oapi] [] [] []
[get] [/openapi/*] [] [] []
[get] [/openapi/v2] [] [] []
[get] [/openapi/v2] [] [] []
[get] [/openapi] [] [] []
[get] [/osapi/] [] [] []
[get] [/osapi/] [] [] []
[get] [/osapi] [] [] []
[get] [/osapi] [] [] []
[get] [/swagger-2.0.0.pb-v1] [] [] []
[get] [/swagger-2.0.0.pb-v1] [] [] []
[get] [/swagger-2.0.0.pb-v1] [] [] []
[get] [/swagger.json] [] [] []
[get] [/swagger.json] [] [] []
[get] [/swagger.json] [] [] []
[get] [/swaggerapi/*] [] [] []
[get] [/swaggerapi/*] [] [] []
[get] [/swaggerapi/*] [] [] []
[get] [/swaggerapi] [] [] []
[get] [/swaggerapi] [] [] []
[get] [/swaggerapi] [] [] []
[get] [/version/*] [] [] []
[get] [/version/*] [] [] []
[get] [/version/] [] [] []
[get] [/version] [] [] []
[get] [/version] [] [] []
[get] [/version] [] [] []
[get] [] [] [] [imagestreams/layers]
[get] [] [~] [] [users]
[get] [] [] [image.openshift.io] [imagestreams/layers]
[get] [] [~] [user.openshift.io] [users]
[impersonate] [] [] [authentication.k8s.io] [userextras/scopes.authorization.openshift.io]
[list watch] [] [] [] [projects]
[list watch] [] [] [project.openshift.io] [projects]
あれ?get list watchのみ
確かにsystemより権限は多いのですが…
developerのopenshift Namespaceと同じじゃないか?
[get list watch] [] [] [image.openshift.io] [imagestreamimages] [get list watch] [] [] [image.openshift.io] [imagestreams] [get list watch] [] [] [image.openshift.io] [imagestreamtags]
おかしいなぁと思いつつcluster-admin権限を確認すると
全てのリソースについて権限を持ってますよね。
ちゃんとcluster-adminロールなのかなぁ~
[tak@centos76 ~]$ oc describe clusterrole.rbac cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: authorization.openshift.io/system-only=true
rbac.authorization.kubernetes.io/autoupdate=true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]
じゃあ、試しにsystemにadmin権限を与えてみたら
[tak@centos76 ~]$ oc adm policy add-role-to-user admin system
Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io is forbidden: User "admin" cannot list rolebindings.rbac.authorization.k8s.io in the namespace "default": no RBAC policy matched
結局ダメなんかぁい
minishiftのAdd-onを適用する
enableに設定した後、適用がいるようです(^^;
[tak@centos76 ~]$ minishift addons apply admin-user
-- Applying addon 'admin-user':..
改めて権限を確認します。
すると先ほどまで出てこなかったProjectも見えてますね。
特にopenshiftが見えているのは期待大ですね(笑)
[tak@centos76 ~]$ oc login $(minishift ip):8443 -u admin
Authentication required for https://192.168.42.85:8443 (openshift)
Username: admin
Password: <任意のパスワード>
Login successful.
You have access to the following projects and can switch between them with 'oc project <projectname>':
default
kube-dns
kube-proxy
kube-public
kube-system
* myproject
openshift
openshift-apiserver
openshift-controller-manager
openshift-core-operators
openshift-infra
openshift-node
openshift-service-cert-signer
openshift-web-console
Using project "myproject".
焦る気持ちを押さえつつまずは権限の確認から
[tak@centos76 ~]$ oc policy can-i --list -n openshift
Command "can-i" is deprecated, use 'oc auth can-i'
VERBS NON-RESOURCE URLS RESOURCE NAMES API GROUPS RESOURCES
[*] [] [] [*] [*]
[*] [*] [] [] []
[create] [] [] [authorization.k8s.io] [selfsubjectaccessreviews]
[create] [] [] [] [selfsubjectrulesreviews]
[create] [] [] [authorization.openshift.io] [selfsubjectrulesreviews]
[create get] [] [] [] [buildconfigs/webhooks]
[create get] [] [] [build.openshift.io] [buildconfigs/webhooks]
[create] [] [] [] [builds/docker]
[create] [] [] [] [builds/jenkinspipeline]
[create] [] [] [] [builds/optimizeddocker]
[create] [] [] [] [builds/source]
[create] [] [] [authorization.k8s.io] [selfsubjectrulesreviews]
[create] [] [] [build.openshift.io] [builds/docker]
[create] [] [] [build.openshift.io] [builds/jenkinspipeline]
[create] [] [] [build.openshift.io] [builds/optimizeddocker]
[create] [] [] [build.openshift.io] [builds/source]
[delete] [] [] [] [oauthaccesstokens]
[delete] [] [] [] [oauthauthorizetokens]
[delete] [] [] [oauth.openshift.io] [oauthaccesstokens]
[delete] [] [] [oauth.openshift.io] [oauthauthorizetokens]
[get list watch] [] [] [] [imagestreamimages]
[get list watch] [] [] [] [imagestreams]
[get list watch] [] [] [] [imagestreamtags]
[get list watch] [] [] [] [templates]
[get list watch] [] [] [image.openshift.io] [imagestreamimages]
[get list watch] [] [] [image.openshift.io] [imagestreams]
[get list watch] [] [] [image.openshift.io] [imagestreamtags]
[get list watch] [] [] [rbac.authorization.k8s.io] [clusterroles]
[get list watch] [] [] [template.openshift.io] [templates]
[get list] [] [] [] [clusterroles]
[get list] [] [] [authorization.openshift.io] [clusterroles]
[get list] [] [] [storage.k8s.io] [storageclasses]
[get] [/.well-known/*] [] [] []
[get] [/.well-known/*] [] [] []
[get] [/.well-known] [] [] []
[get] [/.well-known] [] [] []
[get] [/] [] [] []
[get] [/] [] [] []
[get] [/api/*] [] [] []
[get] [/api/*] [] [] []
[get] [/api/*] [] [] []
[get] [/api] [] [] []
[get] [/api] [] [] []
[get] [/api] [] [] []
[get] [/apis/*] [] [] []
[get] [/apis/*] [] [] []
[get] [/apis/*] [] [] []
[get] [/apis] [] [] []
[get] [/apis] [] [] []
[get] [/apis] [] [] []
[get] [/healthz/*] [] [] []
[get] [/healthz] [] [] []
[get] [/healthz] [] [] []
[get] [/oapi/*] [] [] []
[get] [/oapi/*] [] [] []
[get] [/oapi] [] [] []
[get] [/oapi] [] [] []
[get] [/openapi/*] [] [] []
[get] [/openapi/v2] [] [] []
[get] [/openapi/v2] [] [] []
[get] [/openapi] [] [] []
[get] [/osapi/] [] [] []
[get] [/osapi/] [] [] []
[get] [/osapi] [] [] []
[get] [/osapi] [] [] []
[get] [/swagger-2.0.0.pb-v1] [] [] []
[get] [/swagger-2.0.0.pb-v1] [] [] []
[get] [/swagger-2.0.0.pb-v1] [] [] []
[get] [/swagger.json] [] [] []
[get] [/swagger.json] [] [] []
[get] [/swagger.json] [] [] []
[get] [/swaggerapi/*] [] [] []
[get] [/swaggerapi/*] [] [] []
[get] [/swaggerapi/*] [] [] []
[get] [/swaggerapi] [] [] []
[get] [/swaggerapi] [] [] []
[get] [/swaggerapi] [] [] []
[get] [/version/*] [] [] []
[get] [/version/*] [] [] []
[get] [/version/] [] [] []
[get] [/version] [] [] []
[get] [/version] [] [] []
[get] [/version] [] [] []
[get] [] [] [] [imagestreams/layers]
[get] [] [~] [] [users]
[get] [] [] [image.openshift.io] [imagestreams/layers]
[get] [] [~] [user.openshift.io] [users]
[impersonate] [] [] [authentication.k8s.io] [userextras/scopes.authorization.openshift.io]
[create list] [] [] [] [projectrequests]
[create list] [] [] [project.openshift.io] [projectrequests]
[list watch] [] [] [] [projects]
[list watch] [] [] [project.openshift.io] [projects]
一瞬同じじゃんと思ったら先頭に[*]が入ってますね♪
[*] [] [] [*] [*] [*] [*] [] [] []
minishift addons :: registry-route
試す前に必要そうなAdd-onをenableにしていきます。
registry-route :
Creates an edge terminated route for the OpenShift registry.
$ minishift addons enable registry-route
Add-on 'registry-route' enabled
$ minishift addons list
- admin-user : enabled P(0)
- redhat-registry-login : enabled P(0)
- registry-route : enabled P(0)
- admissions-webhook : disabled P(0)
- anyuid : disabled P(0)
- che : disabled P(0)
- htpasswd-identity-provider : disabled P(0)
- xpaas : disabled P(0)
まずはregistory-routeをapplyします。
[tak@centos76 ~]$ minishift addons apply registry-route
-- Applying addon 'registry-route':
-- Create secret directory..
-- Creating server cert.
-- Creating the secret for the registry certificates.
-- Adding the secret to the registry pod’s service accounts (including the default service account)..
-- Pausing the docker-registry service.
-- Adding the secret volume to the registry deployment configuration.
-- Enabling TLS by adding the environment variables to the registry deployment configuration.
-- Updating the scheme used for the registry’s liveness probe from HTTP to HTTPS.
-- Updating the scheme used for the registry’s readiness probe from HTTP to HTTPS.
-- Resuming the docker-registry service.
-- Creating passthrough route for docker-registry service....
-- Add-on 'registry-route' created docker-registry route. Please run following commands to login to the OpenShift docker registry:
-- $ eval $(minishift docker-env)
-- $ eval $(minishift oc-env)
-- $ docker login -u developer -p `oc whoami -t` docker-registry-default.192.168.42.85.nip.io
minishift addons :: redhat-registry-login
redhat-registry-login :
Creates secret to access images on registry.redhat.io.
RHCCなどを使用するためのAdd-onなのかな?
$ minishift addons enable redhat-registry-login
Add-on 'redhat-registry-login' enabled
$ minishift addons apply redhat-registry-login
-- Applying addon 'redhat-registry-login':Error applying the add-on: The variable(s) 'REGISTRY_USERNAME, REGISTRY_PASSWORD' are required by the add-on, but are not defined in the context
環境変数にセットすれば良いのかと思ったのですが違うみたい
$ REGISTRY_USERNAME=<RedHatに登録したID>
$ REGISTRY_PASSWORD=<RedHatに登録した際のPassword>
$ set | grep REGISTRY
REGISTRY_PASSWORD=<RedHatに登録した際のPassword>
REGISTRY_USERNAME=<RedHatに登録したID>
$ minishift addons apply redhat-registry-login
-- Applying addon 'redhat-registry-login':Error applying the add-on: The variable(s) 'REGISTRY_USERNAME, REGISTRY_PASSWORD' are required by the add-on, but are not defined in the context
$ minishift start --disk-size 30GB --username <userid> --password <password>
:
$ minishift addons apply redhat-registry-login
-- Applying addon 'redhat-registry-login':Error applying the add-on: The variable(s) 'REGISTRY_USERNAME, REGISTRY_PASSWORD' are required by the add-on, but are not defined in the context
うぅ~ん。これは別途調査ですね。
調査しました(笑)
$ minishift config set addon-env REGISTRY_USERNAME=<RedHatに登録したID>
$ minishift config view
- addon-env : [REGISTRY_USERNAME=<RedHatに登録したID>]
- disk-size : 30GB
- iso-url : centos
$ minishift config set addon-env REGISTRY_PASSWORD=<RedHatに登録した際のPassword>
$ minishift config view
- addon-env : [REGISTRY_PASSWORD=<RedHatに登録した際のPassword>]
- disk-size : 30GB
- iso-url : centos
$ minishift addons apply redhat-registry-login
-- Applying addon 'redhat-registry-login':Error applying the add-on: The variable(s) 'REGISTRY_USERNAME' are required by the add-on, but are not defined in the context
うぅ~ん。複数変数の指定方法が判らない…。色々試した結果、正解は,区切りでした(^^♪
$ minishift config set addon-env REGISTRY_USERNAME=<RedHatに登録したID>,REGISTRY_PASSWORD=<RedHatに登録した際のPassword>
$ minishift config view
- addon-env : [REGISTRY_USERNAME=<RedHatに登録したID> REGISTRY_PASSWORD=<RedHatに登録した際のPassword>]
- disk-size : 30GB
- iso-url : centos
$ minishift addons apply redhat-registry-login
-- Applying addon 'redhat-registry-login':.
adminでログインしopenshift namespaceへインポート
まずはadminでログインします。パスワードは聞かれません。
$ oc login $(minishift ip):8443 -u admin
Logged into "https://192.168.42.85:8443" as "admin" using existing credentials.
You have access to the following projects and can switch between them with 'oc project <projectname>':
default
kube-dns
kube-proxy
kube-public
kube-system
* myproject
openshift
openshift-apiserver
openshift-controller-manager
openshift-core-operators
openshift-infra
openshift-node
openshift-service-cert-signer
openshift-web-console
Using project "myproject".
Projectをopenshiftに変更します。
$ oc project openshift
Now using project "openshift" on server "https://192.168.42.85:8443".
rhscl/python-36-rhel7のインポート
イメージをインポートします。
Namespace: openshiftになりましたね。
$ oc import-image openshift/python-36-rhel7:latest --from=registry.access.redhat.com/rhscl/python-36-rhel7 --confirm
imagestream.image.openshift.io/python-36-rhel7 imported
Name: python-36-rhel7
Namespace: openshift
Created: Less than a second ago
Labels: <none>
Annotations: openshift.io/image.dockerRepositoryCheck=2019-01-14T11:43:32Z
Docker Pull Spec: 172.30.1.1:5000/openshift/python-36-rhel7
Image Lookup: local=false
Unique Images: 1
Tags: 1
latest
tagged from registry.access.redhat.com/rhscl/python-36-rhel7
* registry.access.redhat.com/rhscl/python-36-rhel7@sha256:bc3538e03e4b8c60dbeb806e02b24360a389bd65a12ff73f55328eedfbcdcb3e
Less than a second ago
Image Name: python-36-rhel7:latest
Docker Image: registry.access.redhat.com/rhscl/python-36-rhel7@sha256:bc3538e03e4b8c60dbeb806e02b24360a389bd65a12ff73f55328eedfbcdcb3e
Name: sha256:bc3538e03e4b8c60dbeb806e02b24360a389bd65a12ff73f55328eedfbcdcb3e
Created: Less than a second ago
Annotations: image.openshift.io/dockerLayersOrder=ascending
Image Size: 222.1MB in 5 layers
Layers: 75.72MB sha256:23113ae36f8e9d98b1423e44673979132dec59db2805e473e931d83548b0be82
1.223kB sha256:d134b18b98b0d113b7b1194a60efceaa2c06eff41386d6c14b0e44bfe557eee8
6.795MB sha256:e9c030a1a5e35aacb0fe94238025996b812bafcc8c1422a35d7bda1223da6e9e
86.37MB sha256:784f9bf048226aaa367d5784fcf90628254eb9c6998d72e894a525c4399d4c38
53.24MB sha256:8daef2dd454ce803baaa827469d1ef3c6e0342422f61bac311021a15fa4cf7ce
Image Created: 7 weeks ago
Author: <none>
Arch: amd64
Entrypoint: container-entrypoint
Command: /bin/sh -c $STI_SCRIPTS_PATH/usage
Working Dir: /opt/app-root/src
User: 1001
Exposes Ports: 8080/tcp
Docker Labels: architecture=x86_64
authoritative-source-url=registry.access.redhat.com
build-date=2018-11-26T07:27:36.337423
com.redhat.build-host=cpt-0010.osbs.prod.upshift.rdu2.redhat.com
com.redhat.component=rh-python36-container
description=Python 3.6 available as container is a base platform for building and running various Python 3.6 applications and frameworks. Python is an easy to learn, powerful programming language. It has efficient high-level data structures and a simple but effective approach to object-oriented programming. Python's elegant syntax and dynamic typing, together with its interpreted nature, make it an ideal language for scripting and rapid application development in many areas on most platforms.
distribution-scope=public
io.k8s.description=Python 3.6 available as container is a base platform for building and running various Python 3.6 applications and frameworks. Python is an easy to learn, powerful programming language. It has efficient high-level data structures and a simple but effective approach to object-oriented programming. Python's elegant syntax and dynamic typing, together with its interpreted nature, make it an ideal language for scripting and rapid application development in many areas on most platforms.
io.k8s.display-name=Python 3.6
io.openshift.expose-services=8080:http
io.openshift.s2i.scripts-url=image:///usr/libexec/s2i
io.openshift.tags=builder,python,python36,rh-python36
io.s2i.scripts-url=image:///usr/libexec/s2i
maintainer=SoftwareCollections.org <sclorg@redhat.com>
name=rhscl/python-36-rhel7
release=36
summary=Platform for building and running Python 3.6 applications
url=https://access.redhat.com/containers/#/registry.access.redhat.com/rhscl/python-36-rhel7/images/1-36
usage=s2i build https://github.com/sclorg/s2i-python-container.git --context-dir=3.6/test/setup-test-app/ rhscl/python-36-rhel7 python-sample-app
vcs-ref=96351017867feb48429a2dc98ecdd27fc450960c
vcs-type=git
vendor=Red Hat, Inc.
version=1
Environment: PATH=/opt/app-root/src/.local/bin/:/opt/app-root/src/bin:/opt/app-root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
container=oci
SUMMARY=Platform for building and running Python 3.6 applications
DESCRIPTION=Python 3.6 available as container is a base platform for building and running various Python 3.6 applications and frameworks. Python is an easy to learn, powerful programming language. It has efficient high-level data structures and a simple but effective approach to object-oriented programming. Python's elegant syntax and dynamic typing, together with its interpreted nature, make it an ideal language for scripting and rapid application development in many areas on most platforms.
STI_SCRIPTS_URL=image:///usr/libexec/s2i
STI_SCRIPTS_PATH=/usr/libexec/s2i
APP_ROOT=/opt/app-root
HOME=/opt/app-root/src
BASH_ENV=/opt/app-root/etc/scl_enable
ENV=/opt/app-root/etc/scl_enable
PROMPT_COMMAND=. /opt/app-root/etc/scl_enable
NODEJS_SCL=rh-nodejs8
PYTHON_VERSION=3.6
PYTHONUNBUFFERED=1
PYTHONIOENCODING=UTF-8
LC_ALL=en_US.UTF-8
LANG=en_US.UTF-8
PIP_NO_CACHE_DIR=off
rhscl/postgresql-96-rhel7のインポート
$ oc import-image openshift/postgresql-96-rhel7:latest --from=registry.access.redhat.com/rhscl/postgresql-96-rhel7 --confirm
imagestream.image.openshift.io/postgresql-96-rhel7 imported
Name: postgresql-96-rhel7
Namespace: openshift
Created: Less than a second ago
Labels: <none>
Annotations: openshift.io/image.dockerRepositoryCheck=2019-01-14T11:49:21Z
Docker Pull Spec: 172.30.1.1:5000/openshift/postgresql-96-rhel7
Image Lookup: local=false
Unique Images: 1
Tags: 1
latest
tagged from registry.access.redhat.com/rhscl/postgresql-96-rhel7
* registry.access.redhat.com/rhscl/postgresql-96-rhel7@sha256:52784d5e55d82076ac5f809ed6d298af6bac2003e2cfe1f0099123deefc45da1
Less than a second ago
Image Name: postgresql-96-rhel7:latest
Docker Image: registry.access.redhat.com/rhscl/postgresql-96-rhel7@sha256:52784d5e55d82076ac5f809ed6d298af6bac2003e2cfe1f0099123deefc45da1
Name: sha256:52784d5e55d82076ac5f809ed6d298af6bac2003e2cfe1f0099123deefc45da1
Created: Less than a second ago
Annotations: image.openshift.io/dockerLayersOrder=ascending
Image Size: 116.6MB in 4 layers
Layers: 75.72MB sha256:23113ae36f8e9d98b1423e44673979132dec59db2805e473e931d83548b0be82
1.223kB sha256:d134b18b98b0d113b7b1194a60efceaa2c06eff41386d6c14b0e44bfe557eee8
6.795MB sha256:e9c030a1a5e35aacb0fe94238025996b812bafcc8c1422a35d7bda1223da6e9e
34.04MB sha256:b4b43ee5f56192791068dc1f70645e4b34f03919846cb92968a61f1a10a8857b
Image Created: 7 weeks ago
Author: <none>
Arch: amd64
Entrypoint: container-entrypoint
Command: run-postgresql
Working Dir: /opt/app-root/src
User: 26
Exposes Ports: 5432/tcp
Docker Labels: architecture=x86_64
authoritative-source-url=registry.access.redhat.com
build-date=2018-11-26T09:22:52.545618
com.redhat.build-host=cpt-0002.osbs.prod.upshift.rdu2.redhat.com
com.redhat.component=rh-postgresql96-container
description=PostgreSQL is an advanced Object-Relational database management system (DBMS). The image contains the client and server programs that you'll need to create, run, maintain and access a PostgreSQL DBMS server.
distribution-scope=public
io.k8s.description=PostgreSQL is an advanced Object-Relational database management system (DBMS). The image contains the client and server programs that you'll need to create, run, maintain and access a PostgreSQL DBMS server.
io.k8s.display-name=PostgreSQL 9.6
io.openshift.expose-services=5432:postgresql
io.openshift.s2i.scripts-url=image:///usr/libexec/s2i
io.openshift.tags=database,postgresql,postgresql96,rh-postgresql96
io.s2i.scripts-url=image:///usr/libexec/s2i
maintainer=SoftwareCollections.org <sclorg@redhat.com>
name=rhscl/postgresql-96-rhel7
release=32
summary=PostgreSQL is an advanced Object-Relational database management system
url=https://access.redhat.com/containers/#/registry.access.redhat.com/rhscl/postgresql-96-rhel7/images/1-32
usage=docker run -d --name postgresql_database -e POSTGRESQL_USER=user -e POSTGRESQL_PASSWORD=pass -e POSTGRESQL_DATABASE=db -p 5432:5432 rhscl/postgresql-96-rhel7
vcs-ref=4d1b1f1c6f1fe58893e1d300ad7462ebbde15dd2
vcs-type=git
vendor=Red Hat, Inc.
version=1
Environment: PATH=/opt/app-root/src/bin:/opt/app-root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
container=oci
SUMMARY=PostgreSQL is an advanced Object-Relational database management system
DESCRIPTION=PostgreSQL is an advanced Object-Relational database management system (DBMS). The image contains the client and server programs that you'll need to create, run, maintain and access a PostgreSQL DBMS server.
STI_SCRIPTS_URL=image:///usr/libexec/s2i
STI_SCRIPTS_PATH=/usr/libexec/s2i
APP_ROOT=/opt/app-root
HOME=/var/lib/pgsql
BASH_ENV=/usr/share/container-scripts/postgresql/scl_enable
ENV=/usr/share/container-scripts/postgresql/scl_enable
PROMPT_COMMAND=. /usr/share/container-scripts/postgresql/scl_enable
POSTGRESQL_VERSION=9.6
POSTGRESQL_PREV_VERSION=9.5
PGUSER=postgres
APP_DATA=/opt/app-root
CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/postgresql
ENABLED_COLLECTIONS=rh-postgresql96
Volumes: /var/lib/pgsql/data
openshift namespaceにインポートしたければ…
結論です。
openshift namespaceにインポートしたければ、
minishiftのadd-onadmin-userをenableにしてapplyした後に実施する。
$ minishift addons enable admin-user
Add-on 'admin-user' enabled
$ minishift addons apply admin-user
-- Applying addon 'admin-user':..
$ oc login $(minishift ip):8443 -u admin
Logged into "https://192.168.42.85:8443" as "admin" using existing credentials.
You have access to the following projects and can switch between them with 'oc project <projectname>':
default
kube-dns
kube-proxy
kube-public
kube-system
* myproject
openshift
openshift-apiserver
openshift-controller-manager
openshift-core-operators
openshift-infra
openshift-node
openshift-service-cert-signer
openshift-web-console
Using project "myproject".
$ oc project openshift
Now using project "openshift" on server "https://192.168.42.85:8443".
$ oc import-image openshift/postgresql-96-rhel7:latest --from=registry.access.redhat.com/rhscl/postgresql-96-rhel7 --confirm
imagestream.image.openshift.io/postgresql-96-rhel7 imported