diff --git a/CH4/CH4.adoc b/CH4/CH4.adoc new file mode 100644 index 0000000..8114571 --- /dev/null +++ b/CH4/CH4.adoc @@ -0,0 +1,15 @@ +:pygments-style: tango +:source-highlighter: coderay +:toc: +:toclevels: 7 +:sectnums: +:sectnumlevels: 6 +:numbered: +:chapter-label: +:icons: font +:imagesdir: images/ + +== Configuring Application Security + +include::./Secrets.adoc[] +include::./SCC.adoc[] diff --git a/CH4/SCC.adoc b/CH4/SCC.adoc new file mode 100644 index 0000000..26093a8 --- /dev/null +++ b/CH4/SCC.adoc @@ -0,0 +1,155 @@ +:pygments-style: tango +:source-highlighter: coderay +:toc: +:toclevels: 7 +:sectnums: +:sectnumlevels: 6 +:numbered: +:chapter-label: +:icons: font +:imagesdir: images/ + +=== Demonstration - Controlling Application Permissions with Security Context Constraints + +.Controlling Application Permissions with Security Context Constraints - Demo +===== + + +.Preparing Demo Environment +[TIP] +==== +Note that for the demo, not using the *least privileges* model. + +[source,bash] +---- +[student@workstation ~]$ lab authorization-scc start +---- + +==== + +. Source the file and login as developer ++ +[source,bash] +---- +[student@workstation ~]$ source /usr/local/etc/ocp4.config + +[student@workstation ~]$ oc login -u developer -p developer +Login successful. + +You don't have any projects. You can try to create a new project, by running + + oc new-project +---- + +. Create a new project ++ +[source,bash] +---- +[student@workstation ~]$ oc new-project scc-demo +Now using project "scc-demo" on server "https://api.ocp-gdqpjexgnzgogxx200728.do280.rht-na.nextcle.com:6443" +---- + +. Create New App ++ +[source,bash] +---- +[student@workstation ~]$ oc new-app --name gitlab-demo --docker-image gitlab/gitlab-ce:8.4.3-ce.0 +--> Found container image a26371b (4 years old) from Docker Hub for "gitlab/gitlab-ce:8.4.3-ce.0" +---- ++ +.Obtaining Status of App +[source,bash] +---- +[student@workstation ~]$ oc get pods +NAME READY STATUS RESTARTS AGE +gitlab-demo-1-7bz44 0/1 Error 0 44s +gitlab-demo-1-deploy 0/1 Completed 0 54s +---- ++ +[CAUTION] +==== +The application failed because it needs to run with different permissions and the newly created SCC. +==== + +. Source the file and login as admin ++ +[source,bash] +---- +[student@workstation ~]$ oc login -u admin -p redhat +Login successful. + +You don't have any projects. You can try to create a new project, by running + + oc new-project +---- + +. Create a Service Account ++ +[source,bash] +---- +[student@workstation ~]$ oc create sa gitlab-svc +serviceaccount/gitlab-svc created +---- + +. Assign the *anyuid* SCC to the Service Account ++ +[source,bash] +---- +[student@workstation ~]$ oc adm policy add-scc-to-user anyuid -z gitlab-svc +securitycontextconstraints.security.openshift.io/anyuid added to: ["system:serviceaccount:scc-demo:gitlab-svc"] +---- + + +. Assign the new service account to the deployment ++ +[source,bash] +---- +[student@workstation ~]$ oc set serviceaccount dc/gitlab-demo gitlab-svc +deploymentconfig.apps.openshift.io/gitlab-demo serviceaccount updated +---- ++ +.Obtaining Status of App +[source,bash] +---- +[student@workstation ~]$ oc get pods +NAME READY STATUS RESTARTS AGE +gitlab-demo-2-deploy 0/1 Completed 0 54s +gitlab-demo-2-t7nfx 1/1 Running 0 45s +---- + +. Expose the Service and Obtain a Route ++ +.Exposing the Service +[source,bash] +---- +[student@workstation ~]$ oc expose service gitlab-demo --port 80 +route.route.openshift.io/gitlab-demo exposed +---- ++ +.Obtaining a Route +[source,bash] +---- +[student@workstation ~]$ oc get route gitlab-demo +NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD +gitlab-demo gitlab-demo-scc-demo.apps.ocp-gdqpjexgnzgogxx200728.do280.rht-na.nextcle.com gitlab-demo 80 None +---- + +. Testing the Service ++ +image::Chapter4-dd8ac.png[title="Gitlab Login Screen", align="center"] + +. Cleanup Demo ++ +.Remove Project +[source,bash] +---- +[student@workstation ~]$ oc delete project scc-demo +project.project.openshift.io "scc-demo" deleted +---- ++ +.Cleanup Lab +[source,bash] +---- +[student@workstation ~]$ lab authorization-scc finish +---- +===== diff --git a/CH4/Secrets.adoc b/CH4/Secrets.adoc new file mode 100644 index 0000000..27456ea --- /dev/null +++ b/CH4/Secrets.adoc @@ -0,0 +1,221 @@ +:pygments-style: tango +:source-highlighter: coderay +:toc: +:toclevels: 7 +:sectnums: +:sectnumlevels: 6 +:numbered: +:chapter-label: +:icons: font +:imagesdir: images/ + +=== Demonstration - Managing Sensitive Information With Secrets + +.Managing Sensitive Information With Secrets - Demo +===== + +[TIP] +==== +Must start the lab for the demo to work so resources will be available and usable. + +[source,bash] +---- +[student@workstation ~]$ lab authorization-secrets start +---- +==== + +. Source the resource file and login as a developer user ++ +[source,bash] +---- +[student@workstation ~]$ source /usr/local/etc/ocp4.config + +[student@workstation ~]$ oc login -u developer -p developer +Login successful. + +You don't have any projects. You can try to create a new project, by running + + oc new-project +---- + +. Create a project ++ +[source,bash] +---- +[student@workstation ~]$ oc new-project demo-secrets +Now using project "demo-secrets" on server "https://api.ocp-gdqpjexgnzgogxx200728.do280.rht-na.nextcle.com:6443". +---- + +. Create secrets for the project ++ +[source,bash] +---- +[student@workstation ~]$ oc create secret generic mysql --from-literal user=demouser --from-literal password=redhat --from-literal database=demo_db --from-literal hostname=mysql +secret/mysql created +---- + +. Create an Application ++ +[source,bash] +---- +[student@workstation ~]$ oc new-app --name mysql-demo --docker-image registry.access.redhat.com/rhscl/mysql-57-rhel7:5.7-47 +--> Found container image 77d20f2 (12 months old) from registry.access.redhat.com for "registry.access.redhat.com/rhscl/mysql-57-rhel7:5.7-47" +---- + +. Check status of deployed application ++ +[source,bash] +---- +[student@workstation ~]$ oc get pods -w +NAME READY STATUS RESTARTS AGE +mysql-demo-1-9vhjq 0/1 ContainerCreating 0 27s +mysql-demo-1-deploy 1/1 Running 0 35s +NAME READY STATUS RESTARTS AGE +mysql-demo-1-9vhjq 0/1 Error 0 44s +mysql-demo-1-9vhjq 0/1 Error 1 45s +mysql-demo-1-9vhjq 0/1 CrashLoopBackOff 1 46s +---- + +. Investigate issues ++ +[source,bash] +---- +[student@workstation ~]$ oc logs mysql-demo-1-9vhjq +=> sourcing 20-validate-variables.sh ... +You must either specify the following environment variables: + MYSQL_USER (regex: '^[a-zA-Z0-9_]+$') + MYSQL_PASSWORD (regex: '^[a-zA-Z0-9_~!@#$%^&*()-=<>,.?;:|]+$') + MYSQL_DATABASE (regex: '^[a-zA-Z0-9_]+$') +Or the following environment variable: + MYSQL_ROOT_PASSWORD (regex: '^[a-zA-Z0-9_~!@#$%^&*()-=<>,.?;:|]+$') +Or both. +---- ++ +.Variables needed by container image +[IMPORTANT] +==== +In this instance, the container couldn't start because the environment variables weren't passed to the container or made available via the secrets +==== + +. Update the deployment configuration and check to see if the pod is fixed ++ +.Updating the *dc* +[source,bash] +---- +[student@workstation ~]$ oc set env deployment/mysql-demo --prefix MYSQL_ --from secret/mysql +deploymentconfig.apps.openshift.io/mysql-demo updated +---- ++ +.Alternate methods of deployment config manipulation +[CAUTION] +==== +It is important to note that the *oc set env* is setting all environment variables and adding a prefix of *MYSQL_* to all the variables that have been defined. It is also possible to use the *oc edit dc/mysql-demo* to modify the deployment configuration. + +[source,bash] +---- +[student@workstation ~]$ oc edit deployment/mysql-demo + +... output omitted ... + +kind: DeploymentConfig +metadata: + annotations: + openshift.io/generated-by: OpenShiftNewApp + creationTimestamp: "2020-07-28T17:11:02Z" + generation: 3 + labels: + app: mysql-demo + name: mysql-demo + namespace: demo-secrets + +... output omitted ... + +spec: + containers: + - env: + - name: MYSQL_DATABASE + valueFrom: + secretKeyRef: + key: database + name: mysql + - name: MYSQL_HOSTNAME + valueFrom: + secretKeyRef: + key: hostname + name: mysql + - name: MYSQL_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: mysql + - name: MYSQL_USER + valueFrom: + secretKeyRef: + key: user + name: mysql + +... output omitted ... +---- ++ +==== + +.Note about oc edit dc/_name_ +[TIP] +==== +With OCP v4.5, the *oc edit dc/name* no longer works as it doesn't see that as a deployment config. Instead, you need to use *oc edit deployment/name* so it will find the deployment based on the name of the App you specified earlier. +==== ++ +.Verifying application and pods +[source,bash] +---- +[student@workstation ~]$ oc get pods +NAME READY STATUS RESTARTS AGE +mysql-demo-2-deploy 0/1 Completed 0 24s +mysql-demo-2-spbpj 1/1 Running 0 15 +---- + +. Test the Database with *oc rsh* ++ +[source,bash] +---- +[student@workstation ~]$ oc rsh mysql-demo-2-spbpj +sh-4.2$ +---- ++ +.Accessing the Database +[source,bash] +---- +sh-4.2$ mysql -u demouser -p +Enter password: +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 7 + +... output omitted ... + +mysql> show databases; ++--------------------+ +| Database | ++--------------------+ +| information_schema | +| demo_db | ++--------------------+ +2 rows in set (0.00 sec) + +mysql> exit +Bye +sh-4.2$ exit +exit +---- + +. Cleanup the demo ++ +.Source Description +[source,bash] +---- +[student@workstation ~]$ oc delete projects demo-secrets +project.project.openshift.io "demo-secrets" deleted + +[student@workstation ~]$ lab authorization-secrets finish +---- + +===== diff --git a/CH4/images/Chapter4-dd8ac.png b/CH4/images/Chapter4-dd8ac.png new file mode 100644 index 0000000..9280649 Binary files /dev/null and b/CH4/images/Chapter4-dd8ac.png differ diff --git a/DO280_Demo_Guide.adoc b/DO280_Demo_Guide.adoc index 043990a..01b026e 100644 --- a/DO280_Demo_Guide.adoc +++ b/DO280_Demo_Guide.adoc @@ -26,3 +26,4 @@ endif::[] include::./CH1/CH1.adoc[] include::./CH2/CH2.adoc[] include::./CH3/CH3.adoc[] +include::./CH4/CH4.adoc[] diff --git a/images/Chapter4-dd8ac.png b/images/Chapter4-dd8ac.png new file mode 100644 index 0000000..9280649 Binary files /dev/null and b/images/Chapter4-dd8ac.png differ