finished and tested chapter 4 demos

tmichett · Jan 8, 2021 · 01f0f01 · 01f0f01
1 parent 904c418
commit 01f0f01
Show file tree

Hide file tree

Showing 6 changed files with 392 additions and 0 deletions.
diff --git a/CH4/CH4.adoc b/CH4/CH4.adoc
@@ -0,0 +1,15 @@
+:pygments-style: tango
+:source-highlighter: coderay
+:toc:
+:toclevels: 7
+:sectnums:
+:sectnumlevels: 6
+:numbered:
+:chapter-label:
+:icons: font
+:imagesdir: images/
+
+== Configuring Application Security
+
+include::./Secrets.adoc[]
+include::./SCC.adoc[]
diff --git a/CH4/SCC.adoc b/CH4/SCC.adoc
@@ -0,0 +1,155 @@
+:pygments-style: tango
+:source-highlighter: coderay
+:toc:
+:toclevels: 7
+:sectnums:
+:sectnumlevels: 6
+:numbered:
+:chapter-label:
+:icons: font
+:imagesdir: images/
+
+=== Demonstration - Controlling Application Permissions with Security Context Constraints
+
+.Controlling Application Permissions with Security Context Constraints - Demo
+=====
+
+
+.Preparing Demo Environment
+[TIP]
+====
+Note that for the demo, not using the *least privileges* model.
+
+[source,bash]
+----
+[student@workstation ~]$ lab authorization-scc start
+----
+
+====
+
+. Source the file and login as developer
++
+[source,bash]
+----
+[student@workstation ~]$ source /usr/local/etc/ocp4.config
+
+[student@workstation ~]$ oc login -u developer -p developer
+Login successful.
+
+You don't have any projects. You can try to create a new project, by running
+
+    oc new-project <projectname>
+----
+
+. Create a new project
++
+[source,bash]
+----
+[student@workstation ~]$  oc new-project scc-demo
+Now using project "scc-demo" on server "https://api.ocp-gdqpjexgnzgogxx200728.do280.rht-na.nextcle.com:6443"
+----
+
+. Create New App
++
+[source,bash]
+----
+[student@workstation ~]$ oc new-app --name gitlab-demo --docker-image gitlab/gitlab-ce:8.4.3-ce.0
+--> Found container image a26371b (4 years old) from Docker Hub for "gitlab/gitlab-ce:8.4.3-ce.0"
+----
++
+.Obtaining Status of App
+[source,bash]
+----
+[student@workstation ~]$ oc get pods
+NAME                   READY   STATUS      RESTARTS   AGE
+gitlab-demo-1-7bz44    0/1     Error       0          44s
+gitlab-demo-1-deploy   0/1     Completed   0          54s
+----
++
+[CAUTION]
+====
+The application failed because it needs to run with different permissions and the newly created SCC.
+====
+
+. Source the file and login as admin
++
+[source,bash]
+----
+[student@workstation ~]$ oc login -u admin -p redhat
+Login successful.
+
+You don't have any projects. You can try to create a new project, by running
+
+    oc new-project <projectname>
+----
+
+. Create a Service Account
++
+[source,bash]
+----
+[student@workstation ~]$ oc create sa gitlab-svc
+serviceaccount/gitlab-svc created
+----
+
+. Assign the *anyuid* SCC to the Service Account
++
+[source,bash]
+----
+[student@workstation ~]$ oc adm policy add-scc-to-user anyuid -z gitlab-svc
+securitycontextconstraints.security.openshift.io/anyuid added to: ["system:serviceaccount:scc-demo:gitlab-svc"]
+----
+
+
+. Assign the new service account to the deployment
++
+[source,bash]
+----
+[student@workstation ~]$  oc set serviceaccount dc/gitlab-demo gitlab-svc
+deploymentconfig.apps.openshift.io/gitlab-demo serviceaccount updated
+----
++
+.Obtaining Status of App
+[source,bash]
+----
+[student@workstation ~]$ oc get pods
+NAME                   READY   STATUS        RESTARTS   AGE
+gitlab-demo-2-deploy   0/1     Completed     0          54s
+gitlab-demo-2-t7nfx    1/1     Running       0          45s
+----
+
+. Expose the Service and Obtain a Route
++
+.Exposing the Service
+[source,bash]
+----
+[student@workstation ~]$  oc expose service gitlab-demo --port 80
+route.route.openshift.io/gitlab-demo exposed
+----
++
+.Obtaining a Route
+[source,bash]
+----
+[student@workstation ~]$ oc get route gitlab-demo
+NAME          HOST/PORT                                                                      PATH   SERVICES      PORT   TERMINATION   WILDCARD
+gitlab-demo   gitlab-demo-scc-demo.apps.ocp-gdqpjexgnzgogxx200728.do280.rht-na.nextcle.com          gitlab-demo   80                   None
+----
+
+. Testing the Service
++
+image::Chapter4-dd8ac.png[title="Gitlab Login Screen", align="center"]
+
+. Cleanup Demo
++
+.Remove Project
+[source,bash]
+----
+[student@workstation ~]$ oc delete project scc-demo
+project.project.openshift.io "scc-demo" deleted
+----
++
+.Cleanup Lab
+[source,bash]
+----
+[student@workstation ~]$ lab authorization-scc finish
+----
+=====
diff --git a/CH4/Secrets.adoc b/CH4/Secrets.adoc
@@ -0,0 +1,221 @@
+:pygments-style: tango
+:source-highlighter: coderay
+:toc:
+:toclevels: 7
+:sectnums:
+:sectnumlevels: 6
+:numbered:
+:chapter-label:
+:icons: font
+:imagesdir: images/
+
+=== Demonstration - Managing Sensitive Information With Secrets
+
+.Managing Sensitive Information With Secrets - Demo
+=====
+
+[TIP]
+====
+Must start the lab for the demo to work so resources will be available and usable.
+
+[source,bash]
+----
+[student@workstation ~]$ lab authorization-secrets start
+----
+====
+
+. Source the resource file and login as a developer user
++
+[source,bash]
+----
+[student@workstation ~]$ source /usr/local/etc/ocp4.config
+
+[student@workstation ~]$ oc login -u developer -p developer
+Login successful.
+
+You don't have any projects. You can try to create a new project, by running
+
+    oc new-project <projectname>
+----
+
+. Create a project
++
+[source,bash]
+----
+[student@workstation ~]$ oc new-project demo-secrets
+Now using project "demo-secrets" on server "https://api.ocp-gdqpjexgnzgogxx200728.do280.rht-na.nextcle.com:6443".
+----
+
+. Create secrets for the project
++
+[source,bash]
+----
+[student@workstation ~]$ oc create secret generic mysql --from-literal user=demouser --from-literal password=redhat --from-literal database=demo_db --from-literal hostname=mysql
+secret/mysql created
+----
+
+. Create an Application
++
+[source,bash]
+----
+[student@workstation ~]$ oc new-app --name mysql-demo --docker-image registry.access.redhat.com/rhscl/mysql-57-rhel7:5.7-47
+--> Found container image 77d20f2 (12 months old) from registry.access.redhat.com for "registry.access.redhat.com/rhscl/mysql-57-rhel7:5.7-47"
+----
+
+. Check status of deployed application
++
+[source,bash]
+----
+[student@workstation ~]$ oc get pods -w
+NAME                  READY   STATUS              RESTARTS   AGE
+mysql-demo-1-9vhjq    0/1     ContainerCreating   0          27s
+mysql-demo-1-deploy   1/1     Running             0          35s
+NAME                  READY   STATUS              RESTARTS   AGE
+mysql-demo-1-9vhjq    0/1     Error               0          44s
+mysql-demo-1-9vhjq    0/1     Error               1          45s
+mysql-demo-1-9vhjq    0/1     CrashLoopBackOff    1          46s
+----
+
+. Investigate issues
++
+[source,bash]
+----
+[student@workstation ~]$ oc logs mysql-demo-1-9vhjq
+=> sourcing 20-validate-variables.sh ...
+You must either specify the following environment variables:
+  MYSQL_USER (regex: '^[a-zA-Z0-9_]+$')
+  MYSQL_PASSWORD (regex: '^[a-zA-Z0-9_~!@#$%^&*()-=<>,.?;:|]+$')
+  MYSQL_DATABASE (regex: '^[a-zA-Z0-9_]+$')
+Or the following environment variable:
+  MYSQL_ROOT_PASSWORD (regex: '^[a-zA-Z0-9_~!@#$%^&*()-=<>,.?;:|]+$')
+Or both.
+----
++
+.Variables needed by container image
+[IMPORTANT]
+====
+In this instance, the container couldn't start because the environment variables weren't passed to the container or made available via the secrets
+====
+
+. Update the deployment configuration and check to see if the pod is fixed
++
+.Updating the *dc*
+[source,bash]
+----
+[student@workstation ~]$ oc set env deployment/mysql-demo --prefix MYSQL_ --from secret/mysql
+deploymentconfig.apps.openshift.io/mysql-demo updated
+----
++
+.Alternate methods of deployment config manipulation
+[CAUTION]
+====
+It is important to note that the *oc set env* is setting all environment variables and adding a prefix of *MYSQL_* to all the variables that have been defined. It is also possible to use the *oc edit dc/mysql-demo* to modify the deployment configuration.
+
+[source,bash]
+----
+[student@workstation ~]$ oc edit deployment/mysql-demo
+
+... output omitted ...
+
+kind: DeploymentConfig
+metadata:
+  annotations:
+    openshift.io/generated-by: OpenShiftNewApp
+  creationTimestamp: "2020-07-28T17:11:02Z"
+  generation: 3
+  labels:
+    app: mysql-demo
+  name: mysql-demo
+  namespace: demo-secrets
+
+... output omitted ...
+
+spec:
+  containers:
+  - env:
+    - name: MYSQL_DATABASE
+      valueFrom:
+        secretKeyRef:
+          key: database
+          name: mysql
+    - name: MYSQL_HOSTNAME
+      valueFrom:
+        secretKeyRef:
+          key: hostname
+          name: mysql
+    - name: MYSQL_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          key: password
+          name: mysql
+    - name: MYSQL_USER
+      valueFrom:
+        secretKeyRef:
+          key: user
+          name: mysql
+
+... output omitted ...
+----
++
+====
+
+.Note about oc edit dc/_name_
+[TIP]
+====
+With OCP v4.5, the *oc edit dc/name* no longer works as it doesn't see that as a deployment config. Instead, you need to use *oc edit deployment/name* so it will find the deployment based on the name of the App you specified earlier.
+====
++
+.Verifying application and pods
+[source,bash]
+----
+[student@workstation ~]$  oc get pods
+NAME                  READY   STATUS      RESTARTS   AGE
+mysql-demo-2-deploy   0/1     Completed   0          24s
+mysql-demo-2-spbpj    1/1     Running     0          15
+----
+
+. Test the Database with *oc rsh*
++
+[source,bash]
+----
+[student@workstation ~]$ oc rsh mysql-demo-2-spbpj
+sh-4.2$
+----
++
+.Accessing the Database
+[source,bash]
+----
+sh-4.2$ mysql -u demouser -p
+Enter password:
+Welcome to the MySQL monitor.  Commands end with ; or \g.
+Your MySQL connection id is 7
+
+... output omitted ...
+
+mysql> show databases;
++--------------------+
+| Database           |
++--------------------+
+| information_schema |
+| demo_db            |
++--------------------+
+2 rows in set (0.00 sec)
+
+mysql> exit
+Bye
+sh-4.2$ exit
+exit
+----
+
+. Cleanup the demo
++
+.Source Description
+[source,bash]
+----
+[student@workstation ~]$ oc delete projects demo-secrets
+project.project.openshift.io "demo-secrets" deleted
+
+[student@workstation ~]$ lab authorization-secrets finish
+----
+
+=====
diff --git a/CH4/images/Chapter4-dd8ac.png b/CH4/images/Chapter4-dd8ac.png
diff --git a/DO280_Demo_Guide.adoc b/DO280_Demo_Guide.adoc
@@ -26,3 +26,4 @@ endif::[]
 include::./CH1/CH1.adoc[]
 include::./CH2/CH2.adoc[]
 include::./CH3/CH3.adoc[]
+include::./CH4/CH4.adoc[]
diff --git a/images/Chapter4-dd8ac.png b/images/Chapter4-dd8ac.png