Difference between revisions of "OpenShift Notes"

From Bitbull Wiki
Jump to navigation Jump to search
 
(5 intermediate revisions by the same user not shown)
Line 22: Line 22:
  
 
===Example results on fresh AWS OCP 4.7===
 
===Example results on fresh AWS OCP 4.7===
 +
<div class="toccolours mw-collapsible mw-collapsed" style="width:90%">
 +
File: <b>pods with privileges on fresh ocp</b>    Modified: <b>2021-04-02</b>
 +
<div class="mw-collapsible-content">
 
<pre>
 
<pre>
 
openshift-apiserver                              ->  apiserver-5c44597f66-26vp4                              ->  openshift.io/scc:  node-exporter       
 
openshift-apiserver                              ->  apiserver-5c44597f66-26vp4                              ->  openshift.io/scc:  node-exporter       
Line 71: Line 74:
 
openshift-operator-lifecycle-manager              ->  packageserver-749dd7985b-trc95                          ->  openshift.io/scc:  anyuid             
 
openshift-operator-lifecycle-manager              ->  packageserver-749dd7985b-trc95                          ->  openshift.io/scc:  anyuid             
 
</pre>
 
</pre>
 +
</div>
 +
</div>
 +
 +
 +
 +
 
==Check all the SCCs==
 
==Check all the SCCs==
 
of course you should also be interested on the scc configuration.
 
of course you should also be interested on the scc configuration.
Line 79: Line 88:
 
===Example results on fresh AWS OCP 4.7===
 
===Example results on fresh AWS OCP 4.7===
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
File: <b>anyuid</b>    Modified: <b>2021-04-02 09:08:02</b>
+
File: <b>anyuid</b>    Modified: <b>2021-04-02</b>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
 
<pre>
 
<pre>
Line 121: Line 130:
  
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
File: <b>hostaccess</b>    Modified: <b>2021-04-02 09:08:02</b>
+
File: <b>hostaccess</b>    Modified: <b>2021-04-02</b>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
 
<pre>
 
<pre>
Line 163: Line 172:
  
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
File: <b>hostmount-anyuid</b>    Modified: <b>2021-04-02 09:08:03</b>
+
File: <b>hostmount-anyuid</b>    Modified: <b>2021-04-02</b>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
 
<pre>
 
<pre>
Line 205: Line 214:
  
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
File: <b>hostnetwork</b>    Modified: <b>2021-04-02 09:08:03</b>
+
File: <b>hostnetwork</b>    Modified: <b>2021-04-02</b>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
 
<pre>
 
<pre>
Line 247: Line 256:
  
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
File: <b>machine-api-termination-handler</b>    Modified: <b>2021-04-02 09:08:04</b>
+
File: <b>machine-api-termination-handler</b>    Modified: <b>2021-04-02</b>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
 
<pre>
 
<pre>
Line 289: Line 298:
  
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
File: <b>node-exporter</b>    Modified: <b>2021-04-02 09:08:04</b>
+
File: <b>node-exporter</b>    Modified: <b>2021-04-02</b>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
 
<pre>
 
<pre>
Line 331: Line 340:
  
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
File: <b>nonroot</b>    Modified: <b>2021-04-02 09:08:05</b>
+
File: <b>nonroot</b>    Modified: <b>2021-04-02</b>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
 
<pre>
 
<pre>
Line 373: Line 382:
  
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
File: <b>privileged</b>    Modified: <b>2021-04-02 09:08:05</b>
+
File: <b>privileged</b>    Modified: <b>2021-04-02</b>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
 
<pre>
 
<pre>
Line 415: Line 424:
  
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
File: <b>restricted</b>    Modified: <b>2021-04-02 09:08:06</b>
+
File: <b>restricted</b>    Modified: <b>2021-04-02</b>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
 
<pre>
 
<pre>
Line 457: Line 466:
  
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
File: <b>anyuid</b>    Modified: <b>2021-04-02 09:08:02</b>
+
File: <b>anyuid</b>    Modified: <b>2021-04-02</b>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
 
<pre>
 
<pre>
Line 498: Line 507:
 
</div>
 
</div>
  
[[Category:OpenShift]]
+
[[Category:OpenShift & K8S]]
[[Category:V4x]]
+
[[Category:4x]]

Latest revision as of 20:58, 22 April 2021

1 General

This is stuff I don't want to remember and don't want to forget! So I keep it here! BTW: I'm working with OKD current version (4.7)

2 Security

2.1 SCC Review

Get a list with pods and their assigned scc
oc get pod --all-namespaces | awk '{print $2 " -n "$1}' | grep -v NAME | while read p ; do echo "======= pod $p" ; oc describe pod $p | grep scc: ; done
only show the interesting containers
oc get pod --all-namespaces | awk '{print $1 ","$2}' | grep -v NAME | while read p 
do 
  namespace=$(echo $p | cut -d, -f1)
  pod=$(echo $p | cut -d, -f2)
  oc describe pod $pod -n $namespace | grep scc: | grep -v ": restricted" | while read perm 
  do
    echo "$namespace -> $pod -> $perm"
  done
done | column -t

2.1.1 Example results on fresh AWS OCP 4.7

File: pods with privileges on fresh ocp Modified: 2021-04-02



2.2 Check all the SCCs

of course you should also be interested on the scc configuration. a modification of the default SCCs could lead you into big trouble.

get all the scc configurations
oc get scc | cut -d' ' -f1 | grep -v NAME | while read scc; do oc describe scc $scc > "$scc"; done

2.2.1 Example results on fresh AWS OCP 4.7

File: anyuid Modified: 2021-04-02

File: hostaccess Modified: 2021-04-02

File: hostmount-anyuid Modified: 2021-04-02

File: hostnetwork Modified: 2021-04-02

File: machine-api-termination-handler Modified: 2021-04-02

File: node-exporter Modified: 2021-04-02

File: nonroot Modified: 2021-04-02

File: privileged Modified: 2021-04-02

File: restricted Modified: 2021-04-02

File: anyuid Modified: 2021-04-02

Retrieved from "http://www.bitbull.ch/wiki/index.php?title=OpenShift_Notes&oldid=5295"