Skip to content

Instantly share code, notes, and snippets.

@shizonic

shizonic/kubernetes-openshift.md

Forked from 4nn0/kubernetes-openshift.md
Created February 5, 2020 13:32
Show Gist options
  • Save shizonic/0cd1287da6cef586567d792efaa429ba to your computer and use it in GitHub Desktop.
Save shizonic/0cd1287da6cef586567d792efaa429ba to your computer and use it in GitHub Desktop.
Download ZIP
Openshift / Kubernetes
Raw
kubernetes-openshift.md

Description

Some example commands for openshift/kubernetes, replace the oc with kubectl or otherwise

get all pods from all namespaces comma separated with namespace, pod name, container name, container image, pod status

oc get pods --all-namespaces -o go-template='{{range .items}}{{$status := .status.phase}}{{$namespace := .metadata.namespace}}{{$podname := .metadata.name}}{{range .spec.containers}}{{$namespace}}{{","}}{{$podname}}{{","}}{{.name}}{{","}}{{.image}}{{","}}{{$status}}{{"\n"}}{{end}}{{end}}'

get all pods from all namespaces comma separated with namespace, pod name, scc

oc get pods --all-namespaces -o go-template='{{range .items}}{{.metadata.namespace}},{{.metadata.name}},{{range $key, $element := .metadata.annotations}}{{if eq $key "openshift.io/scc"}}{{$element}}{{end}}{{end}}{{"\n"}}{{end}}'

get all sccs with attrubite .allowPrivilegedContainer true

oc get scc -o go-template='{{range .items}}{{if eq .allowPrivilegedContainer true}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}'

get users and groups from privileged sccs

oc get scc -o 'go-template={{range .items}}{{if eq .allowPrivilegedContainer true}}{{$name := .metadata.name}}{{range $user := .users}}{{$name}},user={{$user}}{{"\n"}}{{end}}{{range $group := .groups}}{{$name}},group={{$group}}{{"\n"}}{{end}}{{end}}{{end}}'

get all user where identities map is null (local user)

oc get user -o go-template='{{range .items}}{{if not .identities}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}'

get all pods running with privileged scc (loop over all scc and get pods from all namespaces with this scc, may be need to be optimized)

for PRIV in $(oc get scc -o go-template='{{range .items}}{{if eq .allowPrivilegedContainer true}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}'); do oc get pods --all-namespaces -o go-template='{{$PRIVILEGE := "'$PRIV'"}}{{range .items}}{{if eq .status.phase "Running"}}{{$namespace := .metadata.namespace}}{{$name := .metadata.name}}{{range $key, $element := .metadata.annotations}}{{if eq $key "openshift.io/scc"}}{{if eq $element "'$PRIV'"}}{{$namespace}},{{$name}},{{$element}}{{"\n"}}{{end}}{{end}}{{end}}{{end}}{{end}}'; done

get all networkpolies except pre-defined default policies by namespace,networkpolicy

oc get networkpolicy --all-namespaces -o go-template='{{range .items}}{{if and (ne .metadata.name "allow-from-default-namespace") (ne .metadata.name "allow-from-same-namespace")}}{{.metadata.namespace}},{{.metadata.name}}{{"\n"}}{{end}}{{end}}'

get all compute nodes with allocatable cpu and memory

oc get nodes -l node-role.kubernetes.io/compute=true -o go-template='{{range .items}}{{.metadata.name}},{{.status.allocatable.cpu}},{{.status.allocatable.memory}}{{"\n"}}{{end}}'

get all rolebindings with role reference 'admin' or 'edit'

oc get rolebinding --all-namespaces -o go-template='{{range .items}}{{if or (eq .roleRef.name "edit") (eq .roleRef.name "admin") }}{{$namespace := .metadata.namespace}}{{$name := .metadata.name}}{{range .subjects}}{{$namespace}},{{$name}},{{.kind}},{{.name}}{{"\n"}}{{end}}{{end}}{{end}}'

get all secrets in plaintext

kubectl get secret -o go-template='{{range .items}}{{range $key, $value := .data}}# {{$key}}{{"\n"}}{{$value|base64decode}}{{"\n"}}{{end}}{{end}}'

get all routes with insecure traffic

oc get route --all-namespaces -o go-template='{{range .items}}{{$insecterm := ""}}{{if .spec.tls.insecureEdgeTerminationPolicy}}{{$insecterm := .spec.tls.insecureEdgeTerminationPolicy}}{{end}}{{if or (eq $insecterm "Allow") (not .spec.tls)}}{{.metadata.namespace}}{{"\t"}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment