Baremetal OpenShift 4.2.0
$ oc version
Client Version: openshift-clients-4.3.0-201909231341
Server Version: 4.2.0
Kubernetes Version: v1.14.6+2e5ed54
Robert Bohne rbo
🏠
rbo
/ NetworkPolicy-Problem.md
Last active
November 17, 2019 20:51
My notes to "Bug 1768608 - NetworkPolicy not applied to router"
Baremetal OpenShift 4.2.0
$ oc version
Client Version: openshift-clients-4.3.0-201909231341
Server Version: 4.2.0
Kubernetes Version: v1.14.6+2e5ed54
rbo
/ gist:9a8d9d4222116615d529a1e11418a41f
Last active
October 16, 2019 16:17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [OSEv3:children] | |
| masters | |
| nodes | |
| etcd | |
| # Set variables common for all OSEv3 hosts | |
| [OSEv3:vars] | |
| openshift_deployment_type=openshift-enterprise | |
| openshift_hosted_modify_imagestreams=true | |
| openshift_master_default_subdomain=apps.ocp3.vmw.scc.internal |
rbo
/ rbohne.rsa.pub
Created
August 9, 2019 07:41
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0O1PmjMLgqh7140QsEMn58zEYm6gUErhpeA4mviap9ocKKylFViYbmo4Hu06pLhye7Qu6qpn0A6uEZQJum5uDNfLg1uob0AiGm2jUg4RTUWHNZILLIZ7bKRmE7LP6zucv/xS18wep2PURXfG7TNwzoQ4WNzxFh0avcx0KIeiKgJ3v2nEqYLm2vD2MmuszH9G4O2WUheSuSH9Y5Nz+nZ2P65q+DPkY9xKuZ5+6ykRNT5wwFVWAeyuMADfeX1GZYBHewxM48HIgXlMmXB7/sIJI8UmjEPESwkwM1uKX5JIIdA3mxY/bH50Xg30LogGQCaQg/1bcZMK2fcI/31EQXLoYw== rbo |
Hi everyone,
I ran into the article Kubernetes Pod Escape Using Log Mounts [1]. From my point of view, OpenShift is NOT affected. Because: You can not create an HostPath "mount" without cluster-admin privileges or access to the SCC hostaccess or hostmount-anyuid. Imagine you are able to start a Pod with a hostpath to /var/log you are not able to create any symlink because of SELinux:
root@escaper:~/exploit# ls /var/log/host/
rbo
/ os_server-with-os_port-FAIL.yml
Created
March 31, 2019 10:33
os_server is not idempotent if I use port-id= - Multiple matches found for default
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ansible-playbook | |
| --- | |
| - hosts: localhost | |
| gather_facts: false | |
| connection: local | |
| vars: | |
| iaas_internal_network: admin | |
| iaas_machine_size: m1.tiny | |
| iaas_image: cirros-0.4.0 |
rbo
/ inventory.ini
Created
March 25, 2019 12:37
OpenShift inventory - add 80 & 443 to lb (external haproxy)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Add following lines to your inventory and run | |
| # ansible-playbook -i ~/stc/inventory playbooks/openshift-loadbalancer/config.yml | |
| # or ansible-playbook -i ~/stc/inventory playbooks/deploy_cluster.yml | |
| openshift_loadbalancer_additional_frontends=[{"name":"atomic-openshift-infra-http","mode":"tcp","options":["tcplog"],"binds":["*:80"],"default_backend":"atomic-openshift-infra-http"},{"name":"atomic-openshift-infra-https","mode" | |
| :"tcp","options":["tcplog"],"binds":["*:443"],"default_backend":"atomic-openshift-infra-https"}] | |
| openshift_loadbalancer_additional_backends=[{"name":"atomic-openshift-infra-http","mode":"tcp","option":"tcplog","balance":"roundrobin","servers":[{"name":"infra0","address":"192.168.1.110:80","opts":"check"}]},{"name":"atomic-o | |
| penshift-infra-https","mode":"tcp","option":"tcplog","balance":"roundrobin","servers":[{"name":"infra0","address":"192.168.1.110:443","opts":"check"}]}] |
rbo
/ gist:617ba9a409f11845dd6f324f129dbca8
Created
March 19, 2019 17:01
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| openshift_master_identity_providers: | |
| - name: 'ad' | |
| challenge: true | |
| login: true | |
| mappingMethod: claim | |
| kind: LDAPPasswordIdentityProvider | |
| bindDN: "{{ dd }}" | |
| bindPassword: "{{ ddd }}" | |
| insecure: false | |
| url: "ldaps://ddd" |
rbo
/ gist:fb8d352e178cc2fa797696988cb698a7
Created
March 19, 2019 13:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [OSEv3:vars] | |
| openshift_hosted_registry_storage_kind=nfs | |
| openshift_hosted_registry_storage_access_modes=['ReadWriteMany'] | |
| openshift_hosted_registry_storage_host=nfs.example.com | |
| openshift_hosted_registry_storage_nfs_directory=/exports | |
| openshift_hosted_registry_storage_volume_name=registry | |
| openshift_hosted_registry_storage_volume_size=10Gi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM kubevirt/container-disk-v1alpha | |
| LABEL maintainer="Robert Bohne <[email protected]>" | |
| ADD rhel-server-7.6-x86_64-kvm.qcow2 /disk/rhel.qcow2 |