-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
392 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
:pygments-style: tango | ||
:source-highlighter: coderay | ||
:toc: | ||
:toclevels: 7 | ||
:sectnums: | ||
:sectnumlevels: 6 | ||
:numbered: | ||
:chapter-label: | ||
:icons: font | ||
:imagesdir: images/ | ||
|
||
== Configuring Application Security | ||
|
||
include::./Secrets.adoc[] | ||
include::./SCC.adoc[] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,155 @@ | ||
:pygments-style: tango | ||
:source-highlighter: coderay | ||
:toc: | ||
:toclevels: 7 | ||
:sectnums: | ||
:sectnumlevels: 6 | ||
:numbered: | ||
:chapter-label: | ||
:icons: font | ||
:imagesdir: images/ | ||
|
||
=== Demonstration - Controlling Application Permissions with Security Context Constraints | ||
|
||
.Controlling Application Permissions with Security Context Constraints - Demo | ||
===== | ||
.Preparing Demo Environment | ||
[TIP] | ||
==== | ||
Note that for the demo, not using the *least privileges* model. | ||
|
||
[source,bash] | ||
---- | ||
[student@workstation ~]$ lab authorization-scc start | ||
---- | ||
|
||
==== | ||
. Source the file and login as developer | ||
+ | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ source /usr/local/etc/ocp4.config | ||
[student@workstation ~]$ oc login -u developer -p developer | ||
Login successful. | ||
You don't have any projects. You can try to create a new project, by running | ||
oc new-project <projectname> | ||
---- | ||
. Create a new project | ||
+ | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc new-project scc-demo | ||
Now using project "scc-demo" on server "https://api.ocp-gdqpjexgnzgogxx200728.do280.rht-na.nextcle.com:6443" | ||
---- | ||
. Create New App | ||
+ | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc new-app --name gitlab-demo --docker-image gitlab/gitlab-ce:8.4.3-ce.0 | ||
--> Found container image a26371b (4 years old) from Docker Hub for "gitlab/gitlab-ce:8.4.3-ce.0" | ||
---- | ||
+ | ||
.Obtaining Status of App | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc get pods | ||
NAME READY STATUS RESTARTS AGE | ||
gitlab-demo-1-7bz44 0/1 Error 0 44s | ||
gitlab-demo-1-deploy 0/1 Completed 0 54s | ||
---- | ||
+ | ||
[CAUTION] | ||
==== | ||
The application failed because it needs to run with different permissions and the newly created SCC. | ||
==== | ||
. Source the file and login as admin | ||
+ | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc login -u admin -p redhat | ||
Login successful. | ||
You don't have any projects. You can try to create a new project, by running | ||
oc new-project <projectname> | ||
---- | ||
. Create a Service Account | ||
+ | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc create sa gitlab-svc | ||
serviceaccount/gitlab-svc created | ||
---- | ||
. Assign the *anyuid* SCC to the Service Account | ||
+ | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc adm policy add-scc-to-user anyuid -z gitlab-svc | ||
securitycontextconstraints.security.openshift.io/anyuid added to: ["system:serviceaccount:scc-demo:gitlab-svc"] | ||
---- | ||
. Assign the new service account to the deployment | ||
+ | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc set serviceaccount dc/gitlab-demo gitlab-svc | ||
deploymentconfig.apps.openshift.io/gitlab-demo serviceaccount updated | ||
---- | ||
+ | ||
.Obtaining Status of App | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc get pods | ||
NAME READY STATUS RESTARTS AGE | ||
gitlab-demo-2-deploy 0/1 Completed 0 54s | ||
gitlab-demo-2-t7nfx 1/1 Running 0 45s | ||
---- | ||
. Expose the Service and Obtain a Route | ||
+ | ||
.Exposing the Service | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc expose service gitlab-demo --port 80 | ||
route.route.openshift.io/gitlab-demo exposed | ||
---- | ||
+ | ||
.Obtaining a Route | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc get route gitlab-demo | ||
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD | ||
gitlab-demo gitlab-demo-scc-demo.apps.ocp-gdqpjexgnzgogxx200728.do280.rht-na.nextcle.com gitlab-demo 80 None | ||
---- | ||
. Testing the Service | ||
+ | ||
image::Chapter4-dd8ac.png[title="Gitlab Login Screen", align="center"] | ||
. Cleanup Demo | ||
+ | ||
.Remove Project | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc delete project scc-demo | ||
project.project.openshift.io "scc-demo" deleted | ||
---- | ||
+ | ||
.Cleanup Lab | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ lab authorization-scc finish | ||
---- | ||
===== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,221 @@ | ||
:pygments-style: tango | ||
:source-highlighter: coderay | ||
:toc: | ||
:toclevels: 7 | ||
:sectnums: | ||
:sectnumlevels: 6 | ||
:numbered: | ||
:chapter-label: | ||
:icons: font | ||
:imagesdir: images/ | ||
|
||
=== Demonstration - Managing Sensitive Information With Secrets | ||
|
||
.Managing Sensitive Information With Secrets - Demo | ||
===== | ||
[TIP] | ||
==== | ||
Must start the lab for the demo to work so resources will be available and usable. | ||
|
||
[source,bash] | ||
---- | ||
[student@workstation ~]$ lab authorization-secrets start | ||
---- | ||
==== | ||
. Source the resource file and login as a developer user | ||
+ | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ source /usr/local/etc/ocp4.config | ||
[student@workstation ~]$ oc login -u developer -p developer | ||
Login successful. | ||
You don't have any projects. You can try to create a new project, by running | ||
oc new-project <projectname> | ||
---- | ||
. Create a project | ||
+ | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc new-project demo-secrets | ||
Now using project "demo-secrets" on server "https://api.ocp-gdqpjexgnzgogxx200728.do280.rht-na.nextcle.com:6443". | ||
---- | ||
. Create secrets for the project | ||
+ | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc create secret generic mysql --from-literal user=demouser --from-literal password=redhat --from-literal database=demo_db --from-literal hostname=mysql | ||
secret/mysql created | ||
---- | ||
. Create an Application | ||
+ | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc new-app --name mysql-demo --docker-image registry.access.redhat.com/rhscl/mysql-57-rhel7:5.7-47 | ||
--> Found container image 77d20f2 (12 months old) from registry.access.redhat.com for "registry.access.redhat.com/rhscl/mysql-57-rhel7:5.7-47" | ||
---- | ||
. Check status of deployed application | ||
+ | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc get pods -w | ||
NAME READY STATUS RESTARTS AGE | ||
mysql-demo-1-9vhjq 0/1 ContainerCreating 0 27s | ||
mysql-demo-1-deploy 1/1 Running 0 35s | ||
NAME READY STATUS RESTARTS AGE | ||
mysql-demo-1-9vhjq 0/1 Error 0 44s | ||
mysql-demo-1-9vhjq 0/1 Error 1 45s | ||
mysql-demo-1-9vhjq 0/1 CrashLoopBackOff 1 46s | ||
---- | ||
. Investigate issues | ||
+ | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc logs mysql-demo-1-9vhjq | ||
=> sourcing 20-validate-variables.sh ... | ||
You must either specify the following environment variables: | ||
MYSQL_USER (regex: '^[a-zA-Z0-9_]+$') | ||
MYSQL_PASSWORD (regex: '^[a-zA-Z0-9_~!@#$%^&*()-=<>,.?;:|]+$') | ||
MYSQL_DATABASE (regex: '^[a-zA-Z0-9_]+$') | ||
Or the following environment variable: | ||
MYSQL_ROOT_PASSWORD (regex: '^[a-zA-Z0-9_~!@#$%^&*()-=<>,.?;:|]+$') | ||
Or both. | ||
---- | ||
+ | ||
.Variables needed by container image | ||
[IMPORTANT] | ||
==== | ||
In this instance, the container couldn't start because the environment variables weren't passed to the container or made available via the secrets | ||
==== | ||
. Update the deployment configuration and check to see if the pod is fixed | ||
+ | ||
.Updating the *dc* | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc set env deployment/mysql-demo --prefix MYSQL_ --from secret/mysql | ||
deploymentconfig.apps.openshift.io/mysql-demo updated | ||
---- | ||
+ | ||
.Alternate methods of deployment config manipulation | ||
[CAUTION] | ||
==== | ||
It is important to note that the *oc set env* is setting all environment variables and adding a prefix of *MYSQL_* to all the variables that have been defined. It is also possible to use the *oc edit dc/mysql-demo* to modify the deployment configuration. | ||
|
||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc edit deployment/mysql-demo | ||
... output omitted ... | ||
kind: DeploymentConfig | ||
metadata: | ||
annotations: | ||
openshift.io/generated-by: OpenShiftNewApp | ||
creationTimestamp: "2020-07-28T17:11:02Z" | ||
generation: 3 | ||
labels: | ||
app: mysql-demo | ||
name: mysql-demo | ||
namespace: demo-secrets | ||
... output omitted ... | ||
spec: | ||
containers: | ||
- env: | ||
- name: MYSQL_DATABASE | ||
valueFrom: | ||
secretKeyRef: | ||
key: database | ||
name: mysql | ||
- name: MYSQL_HOSTNAME | ||
valueFrom: | ||
secretKeyRef: | ||
key: hostname | ||
name: mysql | ||
- name: MYSQL_PASSWORD | ||
valueFrom: | ||
secretKeyRef: | ||
key: password | ||
name: mysql | ||
- name: MYSQL_USER | ||
valueFrom: | ||
secretKeyRef: | ||
key: user | ||
name: mysql | ||
... output omitted ... | ||
---- | ||
+ | ||
==== | ||
.Note about oc edit dc/_name_ | ||
[TIP] | ||
==== | ||
With OCP v4.5, the *oc edit dc/name* no longer works as it doesn't see that as a deployment config. Instead, you need to use *oc edit deployment/name* so it will find the deployment based on the name of the App you specified earlier. | ||
==== | ||
+ | ||
.Verifying application and pods | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc get pods | ||
NAME READY STATUS RESTARTS AGE | ||
mysql-demo-2-deploy 0/1 Completed 0 24s | ||
mysql-demo-2-spbpj 1/1 Running 0 15 | ||
---- | ||
. Test the Database with *oc rsh* | ||
+ | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc rsh mysql-demo-2-spbpj | ||
sh-4.2$ | ||
---- | ||
+ | ||
.Accessing the Database | ||
[source,bash] | ||
---- | ||
sh-4.2$ mysql -u demouser -p | ||
Enter password: | ||
Welcome to the MySQL monitor. Commands end with ; or \g. | ||
Your MySQL connection id is 7 | ||
... output omitted ... | ||
mysql> show databases; | ||
+--------------------+ | ||
| Database | | ||
+--------------------+ | ||
| information_schema | | ||
| demo_db | | ||
+--------------------+ | ||
2 rows in set (0.00 sec) | ||
mysql> exit | ||
Bye | ||
sh-4.2$ exit | ||
exit | ||
---- | ||
. Cleanup the demo | ||
+ | ||
.Source Description | ||
[source,bash] | ||
---- | ||
[student@workstation ~]$ oc delete projects demo-secrets | ||
project.project.openshift.io "demo-secrets" deleted | ||
[student@workstation ~]$ lab authorization-secrets finish | ||
---- | ||
===== |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.