Skip to main content

Openshift/K8S: Permission for access images to your Project/Namespace from another

Openshift and Kubernetes uses images to deploy containers for your projects. If you have a customized image and simply you want to use the same image in your another namespace  or project. In this case you have two options, Either you pull image from image registry that customized image come from or pull it from another project.


You may not  use first option if your Kubernetes or Openshift environment is  closed to external or company policies denies it. Second option is a bit of complicated but also  useful too. Also you can scriptize it  for further use. Therefore, it comes!

[ozgurkkisa@workstation ~]$ oc policy add-role-to-group \
-n project-common system:image-puller \
system:serviceaccounts:project-new
clusterrole.rbac.authorization.k8s.io/system:image-puller added: "system:serviceaccounts:youruser-expose-image" 


At the example above, you give image-puller access permission from project named project-common to serviceaccounts in project named project-new. By this way, Developer of project-new might use images at project-common. To perform this operation he/she can type the example command below :

[ozgurkkisa@workstation ~]$oc new-app --name info \
-i ${RHT_OCP4_DEV_USER}-common/php-info
 

If you want to make a script from this, just create a new file with vim or your favorite text editor, add a shebang and save it as with .sh extension : 


#!/bin/bash 
oc policy add-role-to-group \
-n project-common system:image-puller \
system:serviceaccounts:project-new


At the end of day, your life would be a bit of easier 💪😀

Hope to soon again with new articles.

With my best wishes

Labels:

Comments

Post a Comment

Popular posts from this blog

Openshift/K8S : Get routes hostnames and learn their reachability

  Undoubtedly, route have a key role to accessing your pods and their applications inside.  You may want to learn your whole Kubernetes or Openshift routes and their hostnames. Also you want to learn reachability of them. Here comes a shortcut! First step is creating a variable : hosts=$(oc get route -A \ -o jsonpath='{.items[*].spec.host}') You can ensure that just getting the hostnames,  rather than any other info by running : echo $hosts After this point we need a series of shell command to get names and HTTP status of our routes. For this task, write out the codes shown below :  for host in $hosts ; do \ curl https://$host -k -w "%{url_effective} %{http_code}\n" -o /dev/null -s ; \ done https://oauth-openshift.apps.ocp4.ozgurkkisa.com/ 403 https://console-openshift-console.apps.ocp4.ozgurkkisa.com/ 200 https://downloads-openshift-console.apps.ocp4.ozgurkkisa.com/ 200 https://alertmanager-main-openshift-monitoring.apps.ocp4.ozgurkkisa.com/ 403 https://grafa...
Post a Comment
Read more

K8S/OPENSHIFT: POD CRASHING,SECURITY CONTEXT CONTRAINTS PROBLEM?

  Your new daily given task is creating a new app in a new namespace. You investigated and found your image. Then you started to create your app. After app created you checked and realized that the your new apps pod is not starting! Here look at this example. I Used gitlab here as an instance. [ozgurk@myworkstation ~]$ oc new-app --name gitlab \ > --docker-image quay.io/redhattraining/gitlab-ce:8.4.3-ce.0 --> Creating resources ... imagestream.image.openshift.io "gitlab" created deployment.apps "gitlab" created service "gitlab" created --> Success  Until here, everything looking normal. Check your pod status :  [ozgurk@myworkstation ~]$ oc get pods NAME READY STATUS RESTARTS AGE gitlab-6d61db3479-yyjl 0/1 Error 1 43s As seen above, our pod is in a trouble. It's better to start investigation from pod logs. [ozgurk@myworkstation ~]$ oc logs pod/ gitlab-6d61db3479-yyjl ===========...
Post a Comment
Read more

Openshift : Display the expiry date of the OpenShift Console TLS certificate

Hello from openshift! I have a question for you. When will expires your Openshift Router TLS (console) certificate? Here is a short solution to learn this info. Let's start! At first, login to your Openshift cluster. Then, create a variable for router tls certificate hostname : console=$(oc get route -n openshift-console console \ > -o jsonpath='{.spec.host}') After defining router hostname variable, check it : echo $console console-openshift-console.apps.ocp4.ozgurkkisa.com   And finally we are gonna learn what is the expiration of  our beloved Router TLS certificate by running curl https://$console -k -v 2>&1 | grep 'expire date' * expire date: Jun 22 16:43:53 2022 GMT Therefore, we have learned our OpenShift Router TLS certificate expiration date. By this you can write a to-do and  prepare yourself to replacing this certificate. Thats it!
Post a Comment
Read more