I just started using OpenShift and have permissions problems. I am on the free trial for OpenShift 4.3.3 and cannot get my containers to run as root. I am the only user on my instance and I have admin, but it says I need cluster-admin to run the containers as root?
I tried running:
oc policy add-role-to-group cluster-admin anyuid
and that returned:
Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io "cluster-admin" is forbidden: user "hustlin" (groups=["system:authenticated:oauth" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:["*"], Resources:["*"], Verbs:["*"]}
{NonResourceURLs:["*"], Verbs:["*"]}
Going through OpenShift Online -> Administrator view -> User Management -> Roles -> cluster-admin -> Role Bindings, it states:
Restricted Access
You don't have access to this section due to cluster policy.
Error details
rolebindings.rbac.authorization.k8s.io is forbidden: User "hustlin" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
I feel like it should not be this difficult for me to run a container as root. Just testing out OpenShift and I haven't been able to successfully run a single container on the platform, they all eventually go to CrashLoopBackOff.
Yes, I did try the:
oc login -u system:admin
command and it prompted me for my password before returning:
error: username system:admin is invalid for basic auth
I even tried following this guide from the OpenShift blog, but it would not recognize oadm.
Related
I deployed a Dashboard with: https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
I could create an user that can access the resources, but I have to log in with a token, I used: https://docs.aws.amazon.com/eks/latest/userguide/dashboard-tutorial.html
Then I wanted to log in without authentication, so I used: kubectl patch deployment kubernetes-dashboard -n kubernetes-dashboard --type ‘json’ -p ‘[{“op”: “add”, “path”: “/spec/template/spec/containers/0/args/-”, “value”: “–enable-skip-login”}]’
Then I can log-in skipping the authentication but the default user (or Service Account?) can’t see any resource (nodes, pods, services…)
Can you help me give permissions to the default user?
Thanks.
I expect all rescources to be shown on the Dashboard.
"Please check the configuration, the workflow was not able to start " error in litmus chaosCenter portal after opening the status of workflow"
I faced the same issue while setting up LitmusChaos on Openshift local, it will be mostly due to lack of permission to create a Pod that will create chaos scenario.
You can find the reason of failure in "workflow controller" or "subscriber" pod logs, in my case I found it on "workflow controller", failed to start chaos pod because pod is trying to start with user 2000, the solution to overcome is
oc adm policy add-scc-to-group anyuid system:authenticated
The above command will grant "anyuid" scc to all the authenticated users. For production environment, refrain using this command. Best Practice is to add anyuid scc to service account which you created for litmus agent.
References:
https://stackoverflow.com/a/65231547/8496688
https://cloud.redhat.com/blog/managing-sccs-in-openshift#:~:text=anyuid,inside%20and%20outside%20the%20container.
Edit: Instead of assigning Priviliged SCC to all authenticated users, Create a new SCC provided by Litmus team (Openshift SCC Link) and assign it to the Service Account (SA) which you provided at the time of agent creation. e.g
oc adm policy add-scc-to-user privileged system:serviceaccount:myproject:mysvcacct
Ensure that you add the prefix "system:serviceaccount:<project_name>" while granting SCC to SA
References:
https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html
I am trying to create an end point for an API to be deployed into existing GKE cluster by following the instructions in Getting started with Cloud Endpoints for GKE with ESPv2
I clone the sample code in the repo and modified the content of openapi.yaml:
# [START swagger]
swagger: "2.0"
info:
description: "A simple Google Cloud Endpoints API example."
title: "Endpoints Example"
version: "1.0.0"
host: "my-api.endpoints.my-project.cloud.goog"
I then deployed it via the command:
endpoints/getting-started (master) $ gcloud endpoints services deploy openapi.yaml
Now I can see that it has been created:
$ gcloud endpoints services list
NAME TITLE
my-api.endpoints.my-project.cloud.goog
I also have postgreSQL service account:
$ gcloud iam service-accounts list
DISPLAY NAME EMAIL DISABLED
my-postgresql-service-account my-postgresql-service-acco#my-project.iam.gserviceaccount.com False
In the section Endpoint Service Configuration of documentation it says to add the role to the attached service account for the endpoint service as follows, but I get this error:
$ gcloud endpoints services add-iam-policy-binding my-api.endpoints.my-project.cloud.goog
--member serviceAccount:my-postgresql-service-acco#my-project.iam.gserviceaccount.com
--role roles/servicemanagement.serviceController
ERROR: (gcloud.endpoints.services.add-iam-policy-binding) User [myusername#mycompany.com] does not have permission to access services instance [my-api.endpoints.my-project.cloud.goog:getIamPolicy] (or it may not exist): No access to resource: services/my-api.my-project.cloud.goog
The previous lines show the service exits, I guess? Now I am not sure how to resolve this? What permissions do I need? who can give me permission and what permissions he should have? how can I check? Is there any other solution?
The issue got resolved after I was assigned the role of "Project_Admin". It was not ideal as it was giving too much permission to me. The role "roles/endpoints.portalAdmin" was also tried but did not help.
I created a cluster with kubeadm (well it's just a single node / master for now) however I seem to be having issues with authenticating as the admin user.
KUBECONFIG=/etc/kubernetes/kubelet.conf kubectl get sa
No resources found.
Error from server (Forbidden): serviceaccounts is forbidden: User "system:node:osboxes" cannot list serviceaccounts in the namespace "default": disabled by feature gate TokenRequest
I'm assuming that is the admin user? If not, where can I find it / authenticate with it?
Found it: export KUBECONFIG=/etc/kubernetes/admin.conf
I have a gcp service account with kubernetes engine admin role, I get an error trying to create new cluster. Any ideas?
gcloud auth activate-service-account --key-file service_account.json
gcloud config set project my_proj_name
gcloud container clusters create dummy --num-nodes=3 -m n1-standard-8 --zone europe-west1-b
ERROR: (gcloud.container.clusters.create) ResponseError: code=400, message=The user does not have access to service account "default".
.
Issue solved after setting the service account role to the 'Editor' since kubernetes Engine Admin was not sufficient to create new cluster.
Seems your user does not have access to the service account or service account does not have the right role. You can check service account user role to your user and give Editor, compute admin and service account actor roles.