oc get events -n openshift-storage --sort-by=.metadata.creationTimestamp
oc get pods -n openshift-storage -o name | grep noobaa
oc delete $(oc get pods -n openshift-storage -o name |grep noob) -n openshift-storage
oc delete pods --field-selector status.phase=Pending -o name
Install httpd-tools and create HTPassword file
dnf install httpd-tools
htpasswd -c -B -b /tmp/htpasswd 'auser' 'theuserpassword'
Generate HTPasswd Secret
oc create secret generic htpasswd --from-file=htpasswd=/tmp/htpasswd -n openshift-config
Update oauth
with htpasswd identity provider
Dump current oauth
oc get oauth cluster -o yaml > oauth.yml
Add htpasswd identity provider
vi
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: htpasswd
type: HTPasswd
htpasswd:
fileData:
name: htpasswd
or
# Test/review patch
oc patch oauth cluster -p '{"spec":{"identityProviders":[{"htpasswd":{"fileData":{"name":"htpasswd"}},"name":"htpasswd","type":"HTPasswd"}]}}' --type=merge --dry-run=server -o yaml
# Apply patch
oc patch oauth cluster -p '{"spec":{"identityProviders":[{"htpasswd":{"fileData":{"name":"htpasswd"}},"name":"htpasswd","type":"HTPasswd"}]}}' --type=merge
oc delete user <username>
oc delete identity <IDP Name>:<username>
ex:
oc delete user dunbar
oc delete identity htpasswd:dunbar
WARNING: If the identity is not deleted the user will not be able to login even though the user has been deleted
# Extract htpasswd file from secret
oc get secret htpasswd-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 --decode > users.htpasswd
# Update htpasswd file with new user, edit current user password, or remove user
htpasswd -Bb users.htpasswd <username> '<password>'
# Import updated htpasswd file into htpasswd secret
oc create secret generic htpasswd-secret --from-file=htpasswd=users.htpasswd --dry-run=client -o yaml -n openshift-config | oc replace -f -
Authorization pods will be restarted in the openshift-authentication namespace.
Verify by oc get pods -n openshift-authentication
Create secret in openshift-config
namespace that contains clientsecret for Azure App Registration
oc create secret generic openid-client-secret --from-literal=clientSecret=<secret> -n openshift-config
# or copy secret to a file named clientSecret and use the file to poulated the clientSecret key
oc create secret generic openid-client-secret --from-file=clientSecret -n openshift-config
NOTE: The client secret can be/should be obtained and entered in a secure fashion. This command will leave the secret in plain-text in the cli history.
Update oauth object
oc get oauths.config.openshift.io cluster -o yaml > oauth.yaml
Edit oauth.yml with new identityProvider
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: AzureAD
type: OpenID
mappingMethod: claim
openID:
clientID: <clientID>
clientSecret:
name: openid-client-secret
issuer: https://login.microsoftonline.com/<tenantID>
claims:
email:
- email
name:
- name
preferredUsername:
- upn
Apply updated manifest to cluster
# test & verify
oc apply -f oauth.yaml -o yaml --dry-run=server
# apply
oc apply -f oauth.yaml
Resources:
- Configuring a OpenID Connect identity provider
- Configure Azure Active Directory authentication for an Azure Red Hat OpenShift 4 cluster (Portal)
# Create gorup
oc adm groups new ocp-admins
# Add user to group
oc adm groups add-users ocp-admins tkagn
#Add cluster-admin role to group
oc adm policy add-cluster-role-to-group cluster-admin ocp-admins
oc edit schedulers.config.openshift.io cluster
Configure the mastersSchedulable
field
or
# Test/review patch
oc patch schedulers/cluster -p '{"spec": {"mastersSchedulable": true}}' --type=merge --dry-run=server -o yaml
# Apply patch
oc patch schedulers/cluster -p '{"spec": {"mastersSchedulable": true}}' --type=merge
apiVersion: console.openshift.io/v1
kind: ConsoleNotification
metadata:
name: bannertop
spec:
backgroundColor: '#5b9e13'
color: '#fff'
location: BannerTop
text: UNCLASSIFIED - Unauthorized access not permitted
apiVersion: v1
kind: ConfigMap
metadata:
name: motd
namespace: openshift
data:
message: Welcome to the Red Hat OpenShift
oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'
oc adm policy add-cluster-role-to-user self-provisioner <username> --rolebinding-name='self-provisioners'
oc new-project the-project-name
oc adm policy add-role-to-user admin the-user -n the-project-name --rolebinding-name='admin'
oc patch namespaces my-project-name -p '{"metadata":{"annotations":{"openshift.io/requester": "the-user"}}}'