cmoulliard/gist:f05b9bc762cbab9993087b1a44aa1331 Secret

## gistfile1.txt
oc describe po/webconsole-84466b9d97-zthkl
Name:           webconsole-84466b9d97-zthkl
Namespace:      openshift-web-console
Node:           192.168.99.50/192.168.99.50
Start Time:     Thu, 17 May 2018 20:19:08 +0200
Labels:         app=openshift-web-console
                pod-template-hash=4002265853
                webconsole=true
Annotations:    openshift.io/scc=anyuid
Status:         Running
IP:             10.128.0.232
Controlled By:  ReplicaSet/webconsole-84466b9d97
Containers:
  webconsole:
    Container ID:  docker://9311b5f9267e14210770135faab0b23c613f8902f73bf702e5bf4599b3bf3a56
    Image:         docker.io/openshift/origin-web-console:v3.9.0
    Image ID:      docker-pullable://docker.io/openshift/origin-web-console@sha256:3ded49e9ddd052ff8a4187e60a0ba8645530d118baf9dae0412baa17845a38ba
    Port:          8443/TCP
    Command:
      /usr/bin/origin-web-console
      --audit-log-path=-
      -v=0
      --config=/var/webconsole-config/webconsole-config.yaml
    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       Error
      Exit Code:    255
      Started:      Thu, 17 May 2018 20:19:12 +0200
      Finished:     Thu, 17 May 2018 20:19:12 +0200
    Ready:          False
    Restart Count:  1
    Requests:
      cpu:     100m
      memory:  100Mi
    Liveness:  exec [/bin/sh -c if [[ ! -f /tmp/webconsole-config.hash ]]; then \
  md5sum /var/webconsole-config/webconsole-config.yaml > /tmp/webconsole-config.hash; \
elif [[ $(md5sum /var/webconsole-config/webconsole-config.yaml) != $(cat /tmp/webconsole-config.hash) ]]; then \
  echo 'webconsole-config.yaml has changed.'; \
  exit 1; \
fi && curl -k -f https://0.0.0.0:8443/console/] delay=0s timeout=1s period=10s #success=1 #failure=3
    Readiness:    http-get https://:8443/healthz delay=0s timeout=1s period=10s #success=1 #failure=3
    Environment:  <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from webconsole-token-9wjcz (ro)
      /var/serving-cert from serving-cert (rw)
      /var/webconsole-config from webconsole-config (rw)
Conditions:
  Type           Status
  Initialized    True
  Ready          False
  PodScheduled   True
Volumes:
  serving-cert:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  webconsole-serving-cert
    Optional:    false
  webconsole-config:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      webconsole-config
    Optional:  false
  webconsole-token-9wjcz:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  webconsole-token-9wjcz
    Optional:    false
QoS Class:       Burstable
Node-Selectors:  node-role.kubernetes.io/master=true
Tolerations:     node.kubernetes.io/memory-pressure:NoSchedule
Events:
  Type     Reason                 Age                From                    Message
  ----     ------                 ----               ----                    -------
  Normal   Scheduled              17s                default-scheduler       Successfully assigned webconsole-84466b9d97-zthkl to 192.168.99.50
  Normal   SuccessfulMountVolume  16s                kubelet, 192.168.99.50  MountVolume.SetUp succeeded for volume "webconsole-config"
  Normal   SuccessfulMountVolume  16s                kubelet, 192.168.99.50  MountVolume.SetUp succeeded for volume "webconsole-token-9wjcz"
  Normal   SuccessfulMountVolume  16s                kubelet, 192.168.99.50  MountVolume.SetUp succeeded for volume "serving-cert"
  Normal   Pulled                 13s (x2 over 14s)  kubelet, 192.168.99.50  Container image "docker.io/openshift/origin-web-console:v3.9.0" already present on machine
  Normal   Created                13s (x2 over 14s)  kubelet, 192.168.99.50  Created container
  Normal   Started                13s (x2 over 14s)  kubelet, 192.168.99.50  Started container
  Warning  BackOff                10s (x3 over 12s)  kubelet, 192.168.99.50  Back-off restarting failed container

oc logs po/webconsole-84466b9d97-zthkl
W0517 18:19:29.287513       1 start.go:93] Warning: config.clusterInfo.loggingPublicURL: Invalid value: "": required to view aggregated container logs in the console, web console start will continue.
W0517 18:19:29.287608       1 start.go:93] Warning: config.clusterInfo.metricsPublicURL: Invalid value: "": required to view cluster metrics in the console, web console start will continue.
Error: unable to load server certificate: open /var/serving-cert/tls.crt: permission denied
Usage:
  origin-web-console [flags]

Flags:
      --alsologtostderr                                log to standard error as well as files
      --audit-log-format string                        Format of saved audits. "legacy" indicates 1-line text format for each event. "json" indicates structured json format. Requires the 'AdvancedAuditing' feature gate. Known formats are legacy,json. (default "json")
      --audit-log-maxage int                           The maximum number of days to retain old audit log files based on the timestamp encoded in their filename.
      --audit-log-maxbackup int                        The maximum number of old audit log files to retain.
      --audit-log-maxsize int                          The maximum size in megabytes of the audit log file before it gets rotated.
      --audit-log-path string                          If set, all requests coming to the apiserver will be logged to this file.  '-' means standard out.
      --audit-policy-file string                       Path to the file that defines the audit policy configuration. Requires the 'AdvancedAuditing' feature gate. With AdvancedAuditing, a profile is required to enable auditing.
      --audit-webhook-batch-buffer-size int            The size of the buffer to store events before batching and sending to the webhook. Only used in batch mode. (default 10000)
      --audit-webhook-batch-initial-backoff duration   The amount of time to wait before retrying the first failed requests. Only used in batch mode. (default 10s)
      --audit-webhook-batch-max-size int               The maximum size of a batch sent to the webhook. Only used in batch mode. (default 400)
      --audit-webhook-batch-max-wait duration          The amount of time to wait before force sending the batch that hadn't reached the max size. Only used in batch mode. (default 30s)
      --audit-webhook-batch-throttle-burst int         Maximum number of requests sent at the same moment if ThrottleQPS was not utilized before. Only used in batch mode. (default 15)
      --audit-webhook-batch-throttle-qps float32       Maximum average number of requests per second. Only used in batch mode. (default 10)
      --audit-webhook-config-file string               Path to a kubeconfig formatted file that defines the audit webhook configuration. Requires the 'AdvancedAuditing' feature gate.
      --audit-webhook-mode string                      Strategy for sending audit events. Blocking indicates sending events should block server responses. Batch causes the webhook to buffer and send events asynchronously. Known modes are batch,blocking. (default "batch")
      --config string                                  filename containing the WebConsoleConfig
      --contention-profiling                           Enable lock contention profiling, if profiling is enabled
      --enable-swagger-ui                              Enables swagger ui on the apiserver at /swagger-ui
      --log-flush-frequency duration                   Maximum number of seconds between log flushes (default 5s)
      --log_backtrace_at traceLocation                 when logging hits line file:N, emit a stack trace (default :0)
      --log_dir string                                 If non-empty, write log files in this directory
      --logtostderr                                    log to standard error instead of files (default true)
      --profiling                                      Enable profiling via web interface host:port/debug/pprof/ (default true)
      --stderrthreshold severity                       logs at or above this threshold go to stderr (default 2)
  -v, --v Level                                        log level for V logs
      --vmodule moduleSpec                             comma-separated list of pattern=N settings for file-filtered logging

F0517 18:19:29.288355       1 console.go:35] unable to load server certificate: open /var/serving-cert/tls.crt: permission denied

oc get scc/anyuid -o yaml
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
allowedCapabilities: null
allowedFlexVolumes: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups:
- system:cluster-admins
- system:authenticated
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: anyuid provides all features of the restricted SCC
      but allows users to run with any UID and any GID.
  creationTimestamp: 2018-05-17T07:19:55Z
  name: anyuid
  resourceVersion: "25079"
  selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/anyuid
  uid: b2e4c454-59a2-11e8-aeee-0800278500b8
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:openshift-web-console:webconsole
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
	oc describe po/webconsole-84466b9d97-zthkl
	Name: webconsole-84466b9d97-zthkl
	Namespace: openshift-web-console
	Node: 192.168.99.50/192.168.99.50
	Start Time: Thu, 17 May 2018 20:19:08 +0200
	Labels: app=openshift-web-console
	pod-template-hash=4002265853
	webconsole=true
	Annotations: openshift.io/scc=anyuid
	Status: Running
	IP: 10.128.0.232
	Controlled By: ReplicaSet/webconsole-84466b9d97
	Containers:
	webconsole:
	Container ID: docker://9311b5f9267e14210770135faab0b23c613f8902f73bf702e5bf4599b3bf3a56
	Image: docker.io/openshift/origin-web-console:v3.9.0
	Image ID: docker-pullable://docker.io/openshift/origin-web-console@sha256:3ded49e9ddd052ff8a4187e60a0ba8645530d118baf9dae0412baa17845a38ba
	Port: 8443/TCP
	Command:
	/usr/bin/origin-web-console
	--audit-log-path=-
	-v=0
	--config=/var/webconsole-config/webconsole-config.yaml
	State: Waiting
	Reason: CrashLoopBackOff
	Last State: Terminated
	Reason: Error
	Exit Code: 255
	Started: Thu, 17 May 2018 20:19:12 +0200
	Finished: Thu, 17 May 2018 20:19:12 +0200
	Ready: False
	Restart Count: 1
	Requests:
	cpu: 100m
	memory: 100Mi
	Liveness: exec [/bin/sh -c if [[ ! -f /tmp/webconsole-config.hash ]]; then \
	md5sum /var/webconsole-config/webconsole-config.yaml > /tmp/webconsole-config.hash; \
	elif [[ $(md5sum /var/webconsole-config/webconsole-config.yaml) != $(cat /tmp/webconsole-config.hash) ]]; then \
	echo 'webconsole-config.yaml has changed.'; \
	exit 1; \
	fi && curl -k -f https://0.0.0.0:8443/console/] delay=0s timeout=1s period=10s #success=1 #failure=3
	Readiness: http-get https://:8443/healthz delay=0s timeout=1s period=10s #success=1 #failure=3
	Environment: <none>
	Mounts:
	/var/run/secrets/kubernetes.io/serviceaccount from webconsole-token-9wjcz (ro)
	/var/serving-cert from serving-cert (rw)
	/var/webconsole-config from webconsole-config (rw)
	Conditions:
	Type Status
	Initialized True
	Ready False
	PodScheduled True
	Volumes:
	serving-cert:
	Type: Secret (a volume populated by a Secret)
	SecretName: webconsole-serving-cert
	Optional: false
	webconsole-config:
	Type: ConfigMap (a volume populated by a ConfigMap)
	Name: webconsole-config
	Optional: false
	webconsole-token-9wjcz:
	Type: Secret (a volume populated by a Secret)
	SecretName: webconsole-token-9wjcz
	Optional: false
	QoS Class: Burstable
	Node-Selectors: node-role.kubernetes.io/master=true
	Tolerations: node.kubernetes.io/memory-pressure:NoSchedule
	Events:
	Type Reason Age From Message
	---- ------ ---- ---- -------
	Normal Scheduled 17s default-scheduler Successfully assigned webconsole-84466b9d97-zthkl to 192.168.99.50
	Normal SuccessfulMountVolume 16s kubelet, 192.168.99.50 MountVolume.SetUp succeeded for volume "webconsole-config"
	Normal SuccessfulMountVolume 16s kubelet, 192.168.99.50 MountVolume.SetUp succeeded for volume "webconsole-token-9wjcz"
	Normal SuccessfulMountVolume 16s kubelet, 192.168.99.50 MountVolume.SetUp succeeded for volume "serving-cert"
	Normal Pulled 13s (x2 over 14s) kubelet, 192.168.99.50 Container image "docker.io/openshift/origin-web-console:v3.9.0" already present on machine
	Normal Created 13s (x2 over 14s) kubelet, 192.168.99.50 Created container
	Normal Started 13s (x2 over 14s) kubelet, 192.168.99.50 Started container
	Warning BackOff 10s (x3 over 12s) kubelet, 192.168.99.50 Back-off restarting failed container

	oc logs po/webconsole-84466b9d97-zthkl
	W0517 18:19:29.287513 1 start.go:93] Warning: config.clusterInfo.loggingPublicURL: Invalid value: "": required to view aggregated container logs in the console, web console start will continue.
	W0517 18:19:29.287608 1 start.go:93] Warning: config.clusterInfo.metricsPublicURL: Invalid value: "": required to view cluster metrics in the console, web console start will continue.
	Error: unable to load server certificate: open /var/serving-cert/tls.crt: permission denied
	Usage:
	origin-web-console [flags]

	Flags:
	--alsologtostderr log to standard error as well as files
	--audit-log-format string Format of saved audits. "legacy" indicates 1-line text format for each event. "json" indicates structured json format. Requires the 'AdvancedAuditing' feature gate. Known formats are legacy,json. (default "json")
	--audit-log-maxage int The maximum number of days to retain old audit log files based on the timestamp encoded in their filename.
	--audit-log-maxbackup int The maximum number of old audit log files to retain.
	--audit-log-maxsize int The maximum size in megabytes of the audit log file before it gets rotated.
	--audit-log-path string If set, all requests coming to the apiserver will be logged to this file. '-' means standard out.
	--audit-policy-file string Path to the file that defines the audit policy configuration. Requires the 'AdvancedAuditing' feature gate. With AdvancedAuditing, a profile is required to enable auditing.
	--audit-webhook-batch-buffer-size int The size of the buffer to store events before batching and sending to the webhook. Only used in batch mode. (default 10000)
	--audit-webhook-batch-initial-backoff duration The amount of time to wait before retrying the first failed requests. Only used in batch mode. (default 10s)
	--audit-webhook-batch-max-size int The maximum size of a batch sent to the webhook. Only used in batch mode. (default 400)
	--audit-webhook-batch-max-wait duration The amount of time to wait before force sending the batch that hadn't reached the max size. Only used in batch mode. (default 30s)
	--audit-webhook-batch-throttle-burst int Maximum number of requests sent at the same moment if ThrottleQPS was not utilized before. Only used in batch mode. (default 15)
	--audit-webhook-batch-throttle-qps float32 Maximum average number of requests per second. Only used in batch mode. (default 10)
	--audit-webhook-config-file string Path to a kubeconfig formatted file that defines the audit webhook configuration. Requires the 'AdvancedAuditing' feature gate.
	--audit-webhook-mode string Strategy for sending audit events. Blocking indicates sending events should block server responses. Batch causes the webhook to buffer and send events asynchronously. Known modes are batch,blocking. (default "batch")
	--config string filename containing the WebConsoleConfig
	--contention-profiling Enable lock contention profiling, if profiling is enabled
	--enable-swagger-ui Enables swagger ui on the apiserver at /swagger-ui
	--log-flush-frequency duration Maximum number of seconds between log flushes (default 5s)
	--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
	--log_dir string If non-empty, write log files in this directory
	--logtostderr log to standard error instead of files (default true)
	--profiling Enable profiling via web interface host:port/debug/pprof/ (default true)
	--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
	-v, --v Level log level for V logs
	--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

	F0517 18:19:29.288355 1 console.go:35] unable to load server certificate: open /var/serving-cert/tls.crt: permission denied

	oc get scc/anyuid -o yaml
	allowHostDirVolumePlugin: false
	allowHostIPC: false
	allowHostNetwork: false
	allowHostPID: false
	allowHostPorts: false
	allowPrivilegedContainer: false
	allowedCapabilities: null
	allowedFlexVolumes: null
	apiVersion: security.openshift.io/v1
	defaultAddCapabilities: null
	fsGroup:
	type: RunAsAny
	groups:
	- system:cluster-admins
	- system:authenticated
	kind: SecurityContextConstraints
	metadata:
	annotations:
	kubernetes.io/description: anyuid provides all features of the restricted SCC
	but allows users to run with any UID and any GID.
	creationTimestamp: 2018-05-17T07:19:55Z
	name: anyuid
	resourceVersion: "25079"
	selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/anyuid
	uid: b2e4c454-59a2-11e8-aeee-0800278500b8
	priority: 10
	readOnlyRootFilesystem: false
	requiredDropCapabilities:
	- MKNOD
	runAsUser:
	type: RunAsAny
	seLinuxContext:
	type: MustRunAs
	supplementalGroups:
	type: RunAsAny
	users:
	- system:serviceaccount:openshift-web-console:webconsole
	volumes:
	- configMap
	- downwardAPI
	- emptyDir
	- persistentVolumeClaim
	- projected
	- secret