How do I change the permissions in openshift container platform?
By default any container started in OpenShift gets a random user ID. Therefor images not designed to handle such a random UID will fail with permission errors.
In order to get your image working I recommed you read following Article of the latest OpenShift documentation: https://docs.openshift.com/container-platform/4.2/openshift_images/create-images.html
Here the short version that relates to your issue:
SUPPORT ARBITRARY USER IDS
By default, OpenShift Container Platform
runs containers using an arbitrarily assigned user ID. This provides
additional security against processes escaping the container due to a
container engine vulnerability and thereby achieving escalated
permissions on the host node.For an image to support running as an arbitrary user, directories and
files that may be written to by processes in the image should be owned
by the root group and be read/writable by that group. Files to be
executed should also have group execute permissions.Adding the following to your Dockerfile sets the directory and file
permissions to allow users in the root group to access them in the
built image:
RUN chgrp -R 0 /some/directory && \
chmod -R g=u /some/directory
Because the container user is always a member of the root group, the container user can read and write
these files. The root group does not have any special permissions
(unlike the root user) so there are no security concerns with this
arrangement. In addition, the processes running in the container must
not listen on privileged ports (ports below 1024), since they are not
running as a privileged user.
Openshift 4 - Mkdir command gets permission denied error
If you cannot change the container itself, then mounting an emptyDir
directory in this place could be an option.
Add it like so to the Deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-deployment
labels:
app: example
spec:
...
spec:
containers:
- name: example
image: nginx:1.14.2
ports:
- containerPort: 80
volumeMounts:
- mountPath: /data/cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir: {}
How to restrict the default permissions in OpenShift
This worked:
oadm policy remove-cluster-role-from-group basic-user system:authenticated
So system:authenticated
is a group, not a user. And it was the wrong command.
Thanks Red Hat Support.
Though - the cluster didn't work after running the above command, and
oadm policy remove-cluster-role-from-group basic-user system:unauthenticated
We had to revert it. I wonder if it was only the second command that wrought havoc. After nearly a week of downtime, though, the rest of the team isn't too keen on testing what happens if you only revoke basic-user from system:authenticated.
OpenShift permission issues to expose registry
Your admin
role is for what project ? Basically, admin
role is granted permission for one project.
As you mentioned above, you need to cluster-admin
cluster role in order to create route using oc expose service
in default
project. Or you are required admin
role of default
project. Each command is as follows for granting each role.
You also are required cluster-admin
role to run the following both commands.
// for instance, the following command is granting cluster-admin role to admin.
$ oc adm policy add-cluster-role-to-user cluster-admin admin
// following command is granting admin of default project role to admin.
$ oc adm policy add-role-to-user admin admin -n default
If you can login as system:admin
after access master host via ssh as root, you can get cluster-admin
role.
# oc login -u system:admin --config /etc/origin/master/admin.kubeconfig
I hope it help you.
Openshift 4 RBAC
What you need is to customize the Project Template. Look here https://docs.openshift.com/container-platform/4.6/applications/projects/configuring-project-creation.html#modifying-template-for-new-projects_configuring-project-creation
First you need to backup a project project-template from openshift-config, to be honest I don't know how to do it. If anyone find a way please drop the comment under the answer. - Look at first answer bellow from @Stevencommy
To create a new Project Template
oc adm create-bootstrap-project-template -o yaml > template.yaml
In template.yml
configure
kind: Project
...
name: ${PROJECT_NAME}
the default user for newly created project is configured in
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <YOUR_USER_WITHOUT_RIGHTS_TO_CREATE_PROJECT>
Then create the template
oc create -f template.yaml -n openshift-config
Update
oc edit project.config.openshift.io/cluster
there
spec:
projectRequestTemplate:
name: <template_name>
<template_name>
default is project-request
you could also list with oc get templates -n openshift-config | grep project-request
If everything goes well you could test it with oc new-project <your-project>
. The user
for project should be <YOUR_USER_WITHOUT_RIGHTS_TO_CREATE_PROJECT>
Related Topics
Shell Script to Delete Files When Disk Is Full
Knowing If a Remote Port Forward Was Successful
Gatttool Non-Interactive Mode --Char-Write
Determine Vm Size of Process Killed by Oom-Killer
Difference Between Source and ./ Execution of Linux Scripts
Linking to Modules Folder Gives Undefined Reference
Docker in Wsl2 Alpine Without Docker Desktop
Get Process Executed by Mono on Gnu/Linux
Convert Environment Variables into a JSON File
How to Get Docker Commands to Run in the Background with Nohup
How to View Thread Id of a Process Which Has Opened a Socket Connection
Measuring Stack Usage for Linux Multi-Threaded App
Imagemagick: Generate Raw Image Data for PDF Flate Embedding
Can Someone Explain the Shell Shock Bash Code
Using Scanf into Global or Local Variables (On the Stack), 32-Bit Calling Convention
How to Add Text at the Beginning of Specific Lines Using Sed
Docker-Compose Stop Working After Docker Desktop Installation on Debian 11