Difference between revisions of "OpenShift Notes"
Jump to navigation
Jump to search
| Line 10: | Line 10: | ||
; only show the interesting containers | ; only show the interesting containers | ||
<pre> | <pre> | ||
| − | oc get pod --all-namespaces | awk '{print $ | + | oc get pod --all-namespaces | awk '{print $1 ","$2}' | grep -v NAME | while read p |
do | do | ||
| − | oc describe pod $ | + | namespace=$(echo $p | cut -d, -f1) |
| + | pod=$(echo $p | cut -d, -f2) | ||
| + | oc describe pod $pod -n $namespace | grep scc: | grep -v ": restricted" | while read perm | ||
do | do | ||
| − | echo "$ | + | echo "$namespace -> $pod -> $perm" |
done | done | ||
done | column -t | done | column -t | ||
| + | </pre> | ||
| + | |||
| + | ===Example results on fresh AWS OCP 4.7=== | ||
| + | <pre> | ||
| + | openshift-apiserver -> apiserver-5c44597f66-26vp4 -> openshift.io/scc: node-exporter | ||
| + | openshift-apiserver -> apiserver-5c44597f66-6pw9q -> openshift.io/scc: node-exporter | ||
| + | openshift-apiserver -> apiserver-5c44597f66-8kgpf -> openshift.io/scc: node-exporter | ||
| + | openshift-authentication-operator -> authentication-operator-78b4fdf6c4-bpwgh -> openshift.io/scc: anyuid | ||
| + | openshift-authentication -> oauth-openshift-7f84dd5dd9-b9z4m -> openshift.io/scc: anyuid | ||
| + | openshift-authentication -> oauth-openshift-7f84dd5dd9-xzsns -> openshift.io/scc: anyuid | ||
| + | openshift-cluster-node-tuning-operator -> cluster-node-tuning-operator-844cff6b46-hfhr5 -> openshift.io/scc: anyuid | ||
| + | openshift-cluster-node-tuning-operator -> tuned-9dzsb -> Annotations: openshift.io/scc: privileged | ||
| + | openshift-cluster-node-tuning-operator -> tuned-l92pl -> Annotations: openshift.io/scc: privileged | ||
| + | openshift-cluster-node-tuning-operator -> tuned-pl7j4 -> Annotations: openshift.io/scc: privileged | ||
| + | openshift-cluster-node-tuning-operator -> tuned-vgkjw -> Annotations: openshift.io/scc: privileged | ||
| + | openshift-cluster-node-tuning-operator -> tuned-vq4z9 -> Annotations: openshift.io/scc: privileged | ||
| + | openshift-cluster-node-tuning-operator -> tuned-whtrw -> Annotations: openshift.io/scc: privileged | ||
| + | openshift-cluster-storage-operator -> cluster-storage-operator-d454bcdf5-r4z4q -> openshift.io/scc: anyuid | ||
| + | openshift-cluster-storage-operator -> csi-snapshot-controller-operator-66d94cbd79-phn82 -> openshift.io/scc: anyuid | ||
| + | openshift-config-operator -> openshift-config-operator-84d8fd8945-khs8m -> openshift.io/scc: anyuid | ||
| + | openshift-controller-manager-operator -> openshift-controller-manager-operator-5595786bf5-qpnk8 -> openshift.io/scc: anyuid | ||
| + | openshift-image-registry -> node-ca-55mg8 -> Annotations: openshift.io/scc: privileged | ||
| + | openshift-image-registry -> node-ca-gw8pf -> Annotations: openshift.io/scc: privileged | ||
| + | openshift-image-registry -> node-ca-kkxbc -> Annotations: openshift.io/scc: privileged | ||
| + | openshift-image-registry -> node-ca-m52th -> Annotations: openshift.io/scc: privileged | ||
| + | openshift-image-registry -> node-ca-t8rfk -> Annotations: openshift.io/scc: privileged | ||
| + | openshift-image-registry -> node-ca-vfp7r -> Annotations: openshift.io/scc: privileged | ||
| + | openshift-ingress -> router-default-564744dbcf-skbwh -> Annotations: openshift.io/scc: hostnetwork | ||
| + | openshift-ingress -> router-default-564744dbcf-vhk6c -> Annotations: openshift.io/scc: hostnetwork | ||
| + | openshift-kube-storage-version-migrator-operator -> kube-storage-version-migrator-operator-565897bfd9-xbtql -> openshift.io/scc: anyuid | ||
| + | openshift-kube-storage-version-migrator -> migrator-5475dbfddc-tx6d8 -> openshift.io/scc: anyuid | ||
| + | openshift-machine-api -> cluster-baremetal-operator-7b584c7dfc-d647k -> openshift.io/scc: anyuid | ||
| + | openshift-marketplace -> community-operators-5cp2b -> openshift.io/scc: anyuid | ||
| + | openshift-monitoring -> alertmanager-main-0 -> openshift.io/scc: nonroot | ||
| + | openshift-monitoring -> alertmanager-main-1 -> openshift.io/scc: nonroot | ||
| + | openshift-monitoring -> alertmanager-main-2 -> openshift.io/scc: nonroot | ||
| + | openshift-monitoring -> node-exporter-5fbp5 -> Annotations: openshift.io/scc: node-exporter | ||
| + | openshift-monitoring -> node-exporter-lt47z -> Annotations: openshift.io/scc: node-exporter | ||
| + | openshift-monitoring -> node-exporter-vgt4r -> Annotations: openshift.io/scc: node-exporter | ||
| + | openshift-monitoring -> node-exporter-wc65q -> Annotations: openshift.io/scc: node-exporter | ||
| + | openshift-monitoring -> node-exporter-wsz7m -> Annotations: openshift.io/scc: node-exporter | ||
| + | openshift-monitoring -> node-exporter-zp6pt -> Annotations: openshift.io/scc: node-exporter | ||
| + | openshift-monitoring -> prometheus-k8s-0 -> openshift.io/scc: nonroot | ||
| + | openshift-monitoring -> prometheus-k8s-1 -> openshift.io/scc: nonroot | ||
| + | openshift-oauth-apiserver -> apiserver-6894d6684-cq4d2 -> openshift.io/scc: node-exporter | ||
| + | openshift-oauth-apiserver -> apiserver-6894d6684-jxpvt -> openshift.io/scc: node-exporter | ||
| + | openshift-oauth-apiserver -> apiserver-6894d6684-wj9d5 -> openshift.io/scc: node-exporter | ||
| + | openshift-operator-lifecycle-manager -> catalog-operator-5d56d75ccf-zr87t -> openshift.io/scc: anyuid | ||
| + | openshift-operator-lifecycle-manager -> olm-operator-5f7849c5c4-cm8dw -> openshift.io/scc: anyuid | ||
| + | openshift-operator-lifecycle-manager -> packageserver-749dd7985b-672p8 -> openshift.io/scc: anyuid | ||
| + | openshift-operator-lifecycle-manager -> packageserver-749dd7985b-trc95 -> openshift.io/scc: anyuid | ||
</pre> | </pre> | ||
[[Category:OpenShift]] | [[Category:OpenShift]] | ||
[[Category:V4x]] | [[Category:V4x]] | ||
Revision as of 07:00, 2 April 2021
1 General
This is stuff I don't want to remember and don't want to forget! So I keep it here! BTW: I'm working with OKD current version (4.7)
2 Security
2.1 SCC Review
- Get a list with pods and their assigned scc
oc get pod --all-namespaces | awk '{print $2 " -n "$1}' | grep -v NAME | while read p ; do echo "======= pod $p" ; oc describe pod $p | grep scc: ; done
- only show the interesting containers
oc get pod --all-namespaces | awk '{print $1 ","$2}' | grep -v NAME | while read p
do
namespace=$(echo $p | cut -d, -f1)
pod=$(echo $p | cut -d, -f2)
oc describe pod $pod -n $namespace | grep scc: | grep -v ": restricted" | while read perm
do
echo "$namespace -> $pod -> $perm"
done
done | column -t
2.1.1 Example results on fresh AWS OCP 4.7
openshift-apiserver -> apiserver-5c44597f66-26vp4 -> openshift.io/scc: node-exporter openshift-apiserver -> apiserver-5c44597f66-6pw9q -> openshift.io/scc: node-exporter openshift-apiserver -> apiserver-5c44597f66-8kgpf -> openshift.io/scc: node-exporter openshift-authentication-operator -> authentication-operator-78b4fdf6c4-bpwgh -> openshift.io/scc: anyuid openshift-authentication -> oauth-openshift-7f84dd5dd9-b9z4m -> openshift.io/scc: anyuid openshift-authentication -> oauth-openshift-7f84dd5dd9-xzsns -> openshift.io/scc: anyuid openshift-cluster-node-tuning-operator -> cluster-node-tuning-operator-844cff6b46-hfhr5 -> openshift.io/scc: anyuid openshift-cluster-node-tuning-operator -> tuned-9dzsb -> Annotations: openshift.io/scc: privileged openshift-cluster-node-tuning-operator -> tuned-l92pl -> Annotations: openshift.io/scc: privileged openshift-cluster-node-tuning-operator -> tuned-pl7j4 -> Annotations: openshift.io/scc: privileged openshift-cluster-node-tuning-operator -> tuned-vgkjw -> Annotations: openshift.io/scc: privileged openshift-cluster-node-tuning-operator -> tuned-vq4z9 -> Annotations: openshift.io/scc: privileged openshift-cluster-node-tuning-operator -> tuned-whtrw -> Annotations: openshift.io/scc: privileged openshift-cluster-storage-operator -> cluster-storage-operator-d454bcdf5-r4z4q -> openshift.io/scc: anyuid openshift-cluster-storage-operator -> csi-snapshot-controller-operator-66d94cbd79-phn82 -> openshift.io/scc: anyuid openshift-config-operator -> openshift-config-operator-84d8fd8945-khs8m -> openshift.io/scc: anyuid openshift-controller-manager-operator -> openshift-controller-manager-operator-5595786bf5-qpnk8 -> openshift.io/scc: anyuid openshift-image-registry -> node-ca-55mg8 -> Annotations: openshift.io/scc: privileged openshift-image-registry -> node-ca-gw8pf -> Annotations: openshift.io/scc: privileged openshift-image-registry -> node-ca-kkxbc -> Annotations: openshift.io/scc: privileged openshift-image-registry -> node-ca-m52th -> Annotations: openshift.io/scc: privileged openshift-image-registry -> node-ca-t8rfk -> Annotations: openshift.io/scc: privileged openshift-image-registry -> node-ca-vfp7r -> Annotations: openshift.io/scc: privileged openshift-ingress -> router-default-564744dbcf-skbwh -> Annotations: openshift.io/scc: hostnetwork openshift-ingress -> router-default-564744dbcf-vhk6c -> Annotations: openshift.io/scc: hostnetwork openshift-kube-storage-version-migrator-operator -> kube-storage-version-migrator-operator-565897bfd9-xbtql -> openshift.io/scc: anyuid openshift-kube-storage-version-migrator -> migrator-5475dbfddc-tx6d8 -> openshift.io/scc: anyuid openshift-machine-api -> cluster-baremetal-operator-7b584c7dfc-d647k -> openshift.io/scc: anyuid openshift-marketplace -> community-operators-5cp2b -> openshift.io/scc: anyuid openshift-monitoring -> alertmanager-main-0 -> openshift.io/scc: nonroot openshift-monitoring -> alertmanager-main-1 -> openshift.io/scc: nonroot openshift-monitoring -> alertmanager-main-2 -> openshift.io/scc: nonroot openshift-monitoring -> node-exporter-5fbp5 -> Annotations: openshift.io/scc: node-exporter openshift-monitoring -> node-exporter-lt47z -> Annotations: openshift.io/scc: node-exporter openshift-monitoring -> node-exporter-vgt4r -> Annotations: openshift.io/scc: node-exporter openshift-monitoring -> node-exporter-wc65q -> Annotations: openshift.io/scc: node-exporter openshift-monitoring -> node-exporter-wsz7m -> Annotations: openshift.io/scc: node-exporter openshift-monitoring -> node-exporter-zp6pt -> Annotations: openshift.io/scc: node-exporter openshift-monitoring -> prometheus-k8s-0 -> openshift.io/scc: nonroot openshift-monitoring -> prometheus-k8s-1 -> openshift.io/scc: nonroot openshift-oauth-apiserver -> apiserver-6894d6684-cq4d2 -> openshift.io/scc: node-exporter openshift-oauth-apiserver -> apiserver-6894d6684-jxpvt -> openshift.io/scc: node-exporter openshift-oauth-apiserver -> apiserver-6894d6684-wj9d5 -> openshift.io/scc: node-exporter openshift-operator-lifecycle-manager -> catalog-operator-5d56d75ccf-zr87t -> openshift.io/scc: anyuid openshift-operator-lifecycle-manager -> olm-operator-5f7849c5c4-cm8dw -> openshift.io/scc: anyuid openshift-operator-lifecycle-manager -> packageserver-749dd7985b-672p8 -> openshift.io/scc: anyuid openshift-operator-lifecycle-manager -> packageserver-749dd7985b-trc95 -> openshift.io/scc: anyuid
