Skip to content

Instantly share code, notes, and snippets.

@bzon

bzon/OPENSHIFT_HACKS.md

Last active July 17, 2017 15:20
Show Gist options
  • Save bzon/234ea1f62b35986aa1a5c0b8ed330e32 to your computer and use it in GitHub Desktop.
Save bzon/234ea1f62b35986aa1a5c0b8ed330e32 to your computer and use it in GitHub Desktop.
Download ZIP
Openshift Notes and Hacks
Raw
OPENSHIFT_HACKS.md

General User Management and Security

Add anyuid privilege to a service account

oc adm policy add-scc-to-user anyuid -z serviceAccountName -n namespaceName

Enable a serviceAccount from destinationProject to pull images from sourceProject

oc policy add-role-to-user system:image-puller system:serviceaccount:destinationProject:serviceAccount --namespace=sourceProject

Networking

Expose an app Port using NodePort

In this example, we are exposing the oracle-xe deployment config containerPort 1521 to nodePort 30401.

apiVersion: v1
kind: Service
metadata:
  name: oracle-xe
spec:
  ports:
    - name: tcp-30401
      protocol: TCP
      port: 1521
      targetPort: 1521
      nodePort: 30401
  selector:
    - name: oracle-xe

If we create a route out of this service via: oc expose svc/oracle-xe --hostname=oracle-xe.apps.domain.com,
Then we should be able to access the oracle database port 1521 via oracle-xe.apps.domain.com:30401.

Persistent Storage Configurations and Hacks

Resolving an issue where a container does not write to an NFS Persistent Volume directory

Reference: https://docs.openshift.com/container-platform/3.4/install_config/persistent_storage/persistent_storage_nfs.html
A good example of this use case, is mounting the Mongo db data directory.  

Create a service account .

# mongo-sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: mongo

oc create -f mongo-sa.yaml

Ensure the service account can run as anyuid.
oc adm policy add-scc-to-user anyuid -z mongo

Ensure that the mongodb Deployment or Pod configuration has something like the following .

....
      securityContext:
        runAsUser: 65534
      serviceAccount: mongo
      serviceAccountName: mongo
....
      volumes:
      - name: mongodb-data
        persistentVolumeClaim:
          claimName: mongodb
....

Where mongodb is a claimName to an NFS Persistent Volume somewhere.

Resolving an issue when creating a Persistent Volume for Azure Files

Documentation: https://docs.openshift.com/container-platform/3.4/install_config/persistent_storage/persistent_storage_azure_file.html#creating-azure-storage-account-secret .

The Azure storageaccount key is too long that when you convert it to base64, it creates a new line somewhere in between. This will cause your storageaccountkey to not work properly when the Persistent Volume Claim is created. To resolve it, ensure that you remove the newline in between!

echo "Voxv9uJt8r9rpjFiRgs27duT9sdZSHZGAAzCgKhas/2EGR8GD3M78quvcvMO/jms+iXGzz0b7Dexl7EB3SXgTA==" | base64 | awk 'BEGIN{ORS="";} {print}' > text

Monitoring with Prometheus

Deploying Prometheus

Deploying Node Exporter

Deploying HA Proxy exporter

https://docs.openshift.org/latest/install_config/router/default_haproxy_router.html#exposing-the-router-metrics

Deploying Grafana

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment