Chapter 4. Additional Concepts

Kubernetes ensures that pods are able to network with each other, and allocates each pod an IP address from an internal network. This ensures all containers within the pod behave as if they were on the same host. Giving each pod its own IP address means that pods can be treated like physical hosts or virtual machines in terms of port allocation, networking, naming, service discovery, load balancing, application configuration, and migration.

Creating links between pods is unnecessary. However, it is not recommended that you have a pod talk to another directly by using the IP address. Instead, we recommend that you create a service, then interact with the service.

If you are running multiple services, such as frontend and backend services for use with multiple pods, in order for the frontend pods to communicate with the backend services, environment variables are created for user names, service IP, and more. If the service is deleted and recreated, a new IP address can be assigned to the service, and requires the frontend pods to be recreated in order to pick up the updated values for the service IP environment variable. Additionally, the backend service has to be created before any of the frontend pods to ensure that the service IP is generated properly and that it can be provided to the frontend pods as an environment variable.

For this reason, OpenShift Container Platform has a built-in DNS so that the services can be reached by the service DNS as well as the service IP/port. OpenShift Container Platform supports split DNS by running SkyDNS on the master that answers DNS queries for services. The master listens to port 53 by default.

When the node starts, the following message indicates the Kubelet is correctly resolved to the master:

0308 19:51:03.118430    4484 node.go:197] Started Kubelet for node
openshiftdev.local, server at 0.0.0.0:10250
I0308 19:51:03.118459    4484 node.go:199]   Kubelet is setting 10.0.2.15 as a
DNS nameserver for domain "local"

If the second message does not appear, the Kubernetes service may not be available.

On a node host, each container’s nameserver has the master name added to the front, and the default search domain for the container will be .<pod_namespace>.cluster.local. The container will then direct any nameserver queries to the master before any other nameservers on the node, which is the default behavior for Docker-formatted containers. The master will answer queries on the .cluster.local domain that have the following form:

This prevents having to restart frontend pods in order to pick up new services, which creates a new IP for the service. This also removes the need to use environment variables, as pods can use the service DNS. Also, as the DNS does not change, you can reference database services as db.local in config files. Wildcard lookups are also supported, as any lookups resolve to the service IP, and removes the need to create the backend service before any of the frontend pods, since the service name (and hence DNS) is established upfront.

This DNS structure also covers headless services, where a portal IP is not assigned to the service and the kube-proxy does not load-balance or provide routing for its endpoints. Service DNS can still be used and responds with multiple A records, one for each pod of the service, allowing the client to round-robin between each pod.

OpenShift Container Platform supports the Kubernetes Container Network Interface (CNI) as the interface between the OpenShift Container Platform and Kubernetes. Software defined network (SDN) plug-ins are a powerful and flexible way to match network capabilities to your networking needs. There are several OpenShift SDN plugins available, as well as third party plug-ins. Additional plug-ins that support the CNI interface can be added as needed.

The following network plug-ins are currently supported by OpenShift Container Platform:

4.1.3.3. Nuage SDN for OpenShift Container Platform

Nuage Networks' SDN solution delivers highly scalable, policy-based overlay networking for pods in an OpenShift Container Platform cluster. Nuage SDN can be installed and configured as a part of the Ansible-based installation procedure. See the Advanced Installation section for information on how to install and deploy OpenShift Container Platform with Nuage SDN.

Nuage Networks provides a highly scalable, policy-based SDN platform called Virtualized Services Platform (VSP). Nuage VSP uses an SDN Controller, along with the open source Open vSwitch for the data plane.

Nuage uses overlays to provide policy-based networking between OpenShift Container Platform and other environments consisting of VMs and bare metal servers. The platform’s real-time analytics engine enables visibility and security monitoring for OpenShift Container Platform applications.

Nuage VSP integrates with OpenShift Container Platform to allows business applications to be quickly turned up and updated by removing the network lag faced by DevOps teams.

Figure 4.1. Nuage VSP Integration with OpenShift Container Platform

There are two specific components responsible for the integration.

1. The nuage-openshift-monitor service, which runs as a separate service on the OpenShift Container Platform master node.
2. The vsp-openshift plug-in, which is invoked by the OpenShift Container Platform runtime on each of the nodes of the cluster.

Nuage Virtual Routing and Switching software (VRS) is based on open source Open vSwitch and is responsible for the datapath forwarding. The VRS runs on each node and gets policy configuration from the controller.

Nuage VSP Terminology

Figure 4.2. Nuage VSP Building Blocks

1. Domains: An organization contains one or more domains. A domain is a single "Layer 3" space. In standard networking terminology, a domain maps to a VRF instance.
2. Zones: Zones are defined under a domain. A zone does not map to anything on the network directly, but instead acts as an object with which policies are associated such that all endpoints in the zone adhere to the same set of policies.
3. Subnets: Subnets are defined under a zone. A subnet is a specific Layer 2 subnet within the domain instance. A subnet is unique and distinct within a domain, that is, subnets within a Domain are not allowed to overlap or to contain other subnets in accordance with the standard IP subnet definitions.
4. VPorts: A VPort is a new level in the domain hierarchy, intended to provide more granular configuration. In addition to containers and VMs, VPorts are also used to attach Host and Bridge Interfaces, which provide connectivity to Bare Metal servers, Appliances, and Legacy VLANs.
5. Policy Group: Policy Groups are collections of VPorts.

Mapping of Constructs

Many OpenShift Container Platform concepts have a direct mapping to Nuage VSP constructs:

Figure 4.3. Nuage VSP and OpenShift Container Platform mapping

A Nuage subnet is not mapped to an OpenShift Container Platform node, but a subnet for a particular project can span multiple nodes in OpenShift Container Platform.

A pod spawning in OpenShift Container Platform translates to a virtual port being created in VSP. The vsp-openshift plug-in interacts with the VRS and gets a policy for that virtual port from the VSD via the VSC. Policy Groups are supported to group multiple pods together that must have the same set of policies applied to them. Currently, pods can only be assigned to policy groups using the operations workflow where a policy group is created by the administrative user in VSD. The pod being a part of the policy group is specified by means of nuage.io/policy-group label in the specification of the pod.

4.1.3.3.1. Integration Components

Nuage VSP integrates with OpenShift Container Platform using two main components:

1. nuage-openshift-monitor
2. vsp-openshift plugin

nuage-openshift-monitor

nuage-openshift-monitor is a service that monitors the OpenShift Container Platform API server for creation of projects, services, users, user-groups, etc.

Note

In case of a Highly Available (HA) OpenShift Container Platform cluster with multiple masters, nuage-openshift-monitor process runs on all the masters independently without any change in functionality.

For the developer workflow, nuage-openshift-monitor also auto-creates VSD objects by exercising the VSD REST API to map OpenShift Container Platform constructs to VSP constructs. Each cluster instance maps to a single domain in Nuage VSP. This allows a given enterprise to potentially have multiple cluster installations - one per domain instance for that Enterprise in Nuage. Each OpenShift Container Platform project is mapped to a zone in the domain of the cluster on the Nuage VSP. Whenever nuage-openshift-monitor sees an addition or deletion of the project, it instantiates a zone using the VSDK APIs corresponding to that project and allocates a block of subnet for that zone. Additionally, the nuage-openshift-monitor also creates a network macro group for this project. Likewise, whenever nuage-openshift-monitor sees an addition ordeletion of a service, it creates a network macro corresponding to the service IP and assigns that network macro to the network macro group for that project (user provided network macro group using labels is also supported) to enable communication to that service.

For the developer workflow, all pods that are created within the zone get IPs from that subnet pool. The subnet pool allocation and management is done by nuage-openshift-monitor based on a couple of plug-in specific parameters in the master-config file. However the actual IP address resolution and vport policy resolution is still done by VSD based on the domain/zone that gets instantiated when the project is created. If the initial subnet pool is exhausted, nuage-openshift-monitor carves out an additional subnet from the cluster CIDR to assign to a given project.

For the operations workflow, the users specify Nuage recognized labels on their application or pod specification to resolve the pods into specific user-defined zones and subnets. However, this cannot be used to resolve pods in the zones or subnets created via the developer workflow by nuage-openshift-monitor.

Note

In the operations workflow, the administrator is responsible for pre-creating the VSD constructs to map the pods into a specific zone/subnet as well as allow communication between OpenShift entities (ACL rules, policy groups, network macros, and network macro groups). Detailed description of how to use Nuage labels is provided in the Nuage VSP Openshift Integration Guide.

vsp-openshift Plug-in

The vsp-openshift networking plug-in is called by the OpenShift Container Platform runtime on each OpenShift Container Platform node. It implements the network plug-in init and pod setup, teardown, and status hooks. The vsp-openshift plug-in is also responsible for allocating the IP address for the pods. In particular, it communicates with the VRS (the forwarding engine) and configures the IP information onto the pod.

OpenShift Container Platform uses a software-defined networking (SDN) approach to provide a unified cluster network that enables communication between pods across the OpenShift Container Platform cluster. This pod network is established and maintained by the OpenShift SDN, which configures an overlay network using Open vSwitch (OVS).

OpenShift SDN provides three SDN plug-ins for configuring the pod network:

Following is a detailed discussion of the design and operation of OpenShift SDN, which may be useful for troubleshooting.

On an OpenShift Container Platform master, OpenShift SDN maintains a registry of nodes, stored in etcd. When the system administrator registers a node, OpenShift SDN allocates an unused subnet from the cluster network and stores this subnet in the registry. When a node is deleted, OpenShift SDN deletes the subnet from the registry and considers the subnet available to be allocated again.

In the default configuration, the cluster network is the 10.128.0.0/14 network (i.e. 10.128.0.0 - 10.131.255.255), and nodes are allocated /23 subnets (i.e., 10.128.0.0/23, 10.128.2.0/23, 10.128.4.0/23, and so on). This means that the cluster network has 512 subnets available to assign to nodes, and a given node is allocated 510 addresses that it can assign to the containers running on it. The size and address range of the cluster network are configurable, as is the host subnet size.

Note that OpenShift SDN on a master does not configure the local (master) host to have access to any cluster network. Consequently, a master host does not have access to pods via the cluster network, unless it is also running as a node.

When using the ovs-multitenant plug-in, the OpenShift SDN master also watches for the creation and deletion of projects, and assigns VXLAN VNIDs to them, which will be used later by the nodes to isolate traffic correctly.

On a node, OpenShift SDN first registers the local host with the SDN master in the aforementioned registry so that the master allocates a subnet to the node.

Next, OpenShift SDN creates and configures three network devices:

Each time a pod is started on the host, OpenShift SDN:

OpenShift SDN nodes also watch for subnet updates from the SDN master. When a new subnet is added, the node adds OpenFlow rules on br0 so that packets with a destination IP address in the remote subnet go to vxlan0 (port 1 on br0) and thus out onto the network. The ovs-subnet plug-in sends all packets across the VXLAN with VNID 0, but the ovs-multitenant plug-in uses the appropriate VNID for the source container.

Suppose you have two containers, A and B, where the peer virtual Ethernet device for container A’s eth0 is named vethA and the peer for container B’s eth0 is named vethB.

Now suppose first that container A is on the local host and container B is also on the local host. Then the flow of packets from container A to container B is as follows:

eth0 (in A’s netns) vethA br0 vethB eth0 (in B’s netns)

Next, suppose instead that container A is on the local host and container B is on a remote host on the cluster network. Then the flow of packets from container A to container B is as follows:

eth0 (in A’s netns) vethA br0 vxlan0 network ^[1] vxlan0 br0 vethB eth0 (in B’s netns)

Finally, if container A connects to an external host, the traffic looks like:

eth0 (in A’s netns) vethA br0 tun0 (NAT) eth0 (physical device) Internet

Almost all packet delivery decisions are performed with OpenFlow rules in the OVS bridge br0, which simplifies the plug-in network architecture and provides flexible routing. In the case of the ovs-multitenant plug-in, this also provides enforceable network isolation.

You can use the ovs-multitenant plug-in to achieve network isolation. When a packet exits a pod assigned to a non-default project, the OVS bridge br0 tags that packet with the project’s assigned VNID. If the packet is directed to another IP address in the node’s cluster subnet, the OVS bridge only allows the packet to be delivered to the destination pod if the VNIDs match.

If a packet is received from another node via the VXLAN tunnel, the Tunnel ID is used as the VNID, and the OVS bridge only allows the packet to be delivered to a local pod if the tunnel ID matches the destination pod’s VNID.

Packets destined for other cluster subnets are tagged with their VNID and delivered to the VXLAN tunnel with a tunnel destination address of the node owning the cluster subnet.

As described before, VNID 0 is privileged in that traffic with any VNID is allowed to enter any pod assigned VNID 0, and traffic with VNID 0 is allowed to enter any pod. Only the default OpenShift Container Platform project is assigned VNID 0; all other projects are assigned unique, isolation-enabled VNIDs. Cluster administrators can optionally control the pod network for the project using the administrator CLI.

flannel is a virtual networking layer designed specifically for containers. OpenShift Container Platform can use it for networking containers instead of the default software-defined networking (SDN) components. This is useful if running OpenShift Container Platform within a cloud provider platform that also relies on SDN, such as OpenStack, and you want to avoid encapsulating packets twice through both platforms.

OpenShift Container Platform runs flannel in host-gw mode, which maps routes from container to container. Each host within the network runs an agent called flanneld, which is responsibile for:

Each flanneld agent provides this infomation to a centralized etcd store so other agents on hosts can route packets to other containers within the flannel network.

The following diagram illustrates the architecture and data flow from one container to another using a flannel network:

Node 1 would contain the following routes:

default via 192.168.0.100 dev eth0 proto static metric 100
10.1.15.0/24 dev docker0 proto kernel scope link src 10.1.15.1
10.1.20.0/24 via 192.168.0.200 dev eth0

Node 2 would contain the following routes:

default via 192.168.0.200 dev eth0 proto static metric 100
10.1.20.0/24 dev docker0 proto kernel scope link src 10.1.20.1
10.1.15.0/24 via 192.168.0.100 dev eth0

A router is one way to get traffic into the cluster. The F5 BIG-IP® Router plug-in is one of the available router plugins.

The F5 router plug-in integrates with an existing F5 BIG-IP® system in your environment. F5 BIG-IP® version 11.4 or newer is required in order to have the F5 iControl REST API. The F5 router supports unsecured, edge terminated, re-encryption terminated, and passthrough terminated routes matching on HTTP vhost and request path.

The F5 router has feature parity with the HAProxy template router, and has additional features over the F5 BIG-IP® support in OpenShift Enterprise 2. Compared with the routing-daemon used in earlier versions, the F5 router additionally supports:

Because F5 BIG-IP® is external to the OpenShift SDN, a cluster administrator must create a peer-to-peer tunnel between F5 BIG-IP® and a host that is on the SDN, typically an OpenShift Container Platform node host. This ramp node can be configured as unschedulable for pods so that it will not be doing anything except act as a gateway for the F5 BIG-IP® host. It is also possible to configure multiple such hosts and use the OpenShift Container Platform ipfailover feature for redundancy; the F5 BIG-IP® host would then need to be configured to use the ipfailover VIP for its tunnel’s remote endpoint.

The operation of the F5 router is similar to that of the OpenShift Container Platform routing-daemon used in earlier versions. Both use REST API calls to:

Both also use scp and ssh commands to upload custom TLS/SSL certificates to F5 BIG-IP®.

The F5 router configures pools and policy rules on virtual servers as follows:

4.4.3.1. F5 Native Integration

With native integration of F5 with OpenShift Container Platform, you do not need to configure a ramp node for F5 to be able to reach the pods on the overlay network as created by OpenShift SDN.

Also, only F5 BIG-IP® appliance version 12.x and above works with the native integration presented in this section. You also need sdn-services add-on license for the integration to work properly. For version 11.x, set up a ramp node.

Connection

The F5 appliance can connect to the OpenShift Container Platform cluster via an L3 connection. An L2 switch connectivity is not required between OpenShift Container Platform nodes. On the appliance, you can use multiple interfaces to manage the integration:

• Management interface - Reaches the web console of the F5 appliance.
• External interface - Configures the virtual servers for inbound web traffic.
• Internal interface - Programs the appliance and reaches out to the pods.

An F5 controller pod has admin access to the appliance. The F5 image is launched within the OpenShift Container Platform cluster (scheduled on any node) that uses iControl REST APIs to program the virtual servers with policies, and configure the VxLAN device.

Data Flow: Packets to Pods

Note

This section explains how the packets reach the pods, and vice versa. These actions are performed by the F5 controller pod and the F5 appliance, not the user.

When natively integrated, The F5 appliance reaches out to the pods directly using VxLAN encapsulation. This integration works only when OpenShift Container Platform is using openshift-sdn as the network plug-in. The openshift-sdn plug-in employs VxLAN encapsulation for the overlay network that it creates.

To make a successful data path between a pod and the F5 appliance:

1. F5 needs to encapsulate the VxLAN packet meant for the pods. This requires the sdn-services license add-on. A VxLAN device needs to be created and the pod overlay network needs to be routed through this device.
2. F5 needs to know the VTEP IP address of the pod, which is the IP address of the node where the pod is located.
3. F5 needs to know which source-ip to use for the overlay network when encapsulating the packets meant for the pods. This is known as the gateway address.
4. OpenShift Container Platform nodes need to know where the F5 gateway address is (the VTEP address for the return traffic). This needs to be the internal interface’s address. All nodes of the cluster must learn this automatically.
5. Since the overlay network is multi-tenant aware, F5 must use a VxLAN ID that is representative of an admin domain, ensuring that all tenants are reachable by the F5. Ensure that F5 encapsulates all packets with a vnid of 0 (the default vnid for the admin namespace in OpenShift Container Platform) by putting an annotation on the manually created hostsubnet - pod.network.openshift.io/fixed-vnid-host: 0.

A ghost hostsubnet is manually created as part of the setup, which fulfills the third and forth listed requirements. When the F5 controller pod is launched, this new ghost hostsubnet is provided so that the F5 appliance can be programmed suitably.

Note

The term ghost hostsubnet is used because it suggests that a subnet has been given to a node of the cluster. However, in reality, it is not a real node of the cluster. It is hijacked by an external appliance.

The first requirement is fulfilled by the F5 controller pod once it is launched. The second requirement is also fulfilled by the F5 controller pod, but it is an ongoing process. For each new node that is added to the cluster, the controller pod creates an entry in the VxLAN device’s VTEP FDB. The controller pod needs access to the nodes resource in the cluster, which you can accomplish by giving the service account appropriate privileges. Use the following command:

$ oc adm policy add-cluster-role-to-user system:sdn-reader system:serviceaccount:default:router

Data Flow from the F5 Host

Note

These actions are performed by the F5 controller pod and the F5 appliance, not the user.

1. The destination pod is identified by the F5 virtual server for a packet.
2. VxLAN dynamic FDB is looked up with pod’s IP address. If a MAC address is found, go to step 5.
3. Flood all entries in the VTEP FDB with ARP requests seeking the pod’s MAC address.
4. One of the nodes (VTEP) will respond, confirming that it is the one where the pod is located. An entry is made into the VxLAN dynamic FDB with the pod’s MAC address and the VTEP to be used as the value.
5. Encap an IP packet with VxLAN headers, where the MAC of the pod and the VTEP of the node is given as values from the VxLAN dynamic FDB.
6. Calculate the VTEP’s MAC address by sending out an ARP or checking the host’s neighbor cache.
7. Deliver the packet through the F5 host’s internal address.

Data Flow: Return Traffic to the F5 Host

Note

These actions are performed by the F5 controller pod and the F5 appliance, not the user.

1. The pod sends back a packet with the destination as the F5 host’s VxLAN gateway address.
2. The openvswitch at the node determines that the VTEP for this packet is the F5 host’s internal interface address. This is learned from the ghost hostsubnet creation.
3. A VxLAN packet is sent out to the internal interface of the F5 host.

Note

During the entire data flow, the VNID is pre-fixed to be 0 to bypass multi-tenancy.

The authentication layer identifies the user associated with requests to the OpenShift Container Platform API. The authorization layer then uses information about the requesting user to determine if the request should be allowed.

As an administrator, you can configure authentication using a master configuration file.

A user in OpenShift Container Platform is an entity that can make requests to the OpenShift Container Platform API. Typically, this represents the account of a developer or administrator that is interacting with OpenShift Container Platform.

A user can be assigned to one or more groups, each of which represent a certain set of users. Groups are useful when managing authorization policies to grant permissions to multiple users at once, for example allowing access to objects within a project, versus granting them to users individually.

In addition to explicitly defined groups, there are also system groups, or virtual groups, that are automatically provisioned by OpenShift. These can be seen when viewing cluster bindings.

In the default set of virtual groups, note the following in particular:

Requests to the OpenShift Container Platform API are authenticated using the following methods:

Any request with an invalid access token or an invalid certificate is rejected by the authentication layer with a 401 error.

If no access token or certificate is presented, the authentication layer assigns the system:anonymous virtual user and the system:unauthenticated virtual group to the request. This allows the authorization layer to determine which requests, if any, an anonymous user is allowed to make.

The OpenShift Container Platform master includes a built-in OAuth server. Users obtain OAuth access tokens to authenticate themselves to the API.

When a person requests a new OAuth token, the OAuth server uses the configured identity provider to determine the identity of the person making the request.

It then determines what user that identity maps to, creates an access token for that user, and returns the token for use.

$ oc create -f <(echo '
kind: OAuthClient
apiVersion: v1
metadata:
 name: demo 1
secret: "..." 2
redirectURIs:
 - "http://www.example.com/" 3
grantMethod: prompt 4
')

serviceaccounts.openshift.io/oauth-redirecturi.<name>

"serviceaccounts.openshift.io/oauth-redirecturi.first":  "https://example.com"
"serviceaccounts.openshift.io/oauth-redirecturi.second": "https://other.com"

"serviceaccounts.openshift.io/oauth-redirectreference.first": "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"jenkins\"}}"

{
  "kind": "OAuthRedirectReference",
  "apiVersion": "v1",
  "reference": {
    "kind": "Route",
    "name": "jenkins"
  }
}

{
  "kind": "OAuthRedirectReference",
  "apiVersion": "v1",
  "reference": {
    "kind": ..., 1
    "name": ..., 2
    "group": ... 3
  }
}

"serviceaccounts.openshift.io/oauth-redirecturi.first":  "custompath"
"serviceaccounts.openshift.io/oauth-redirectreference.first": "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"jenkins\"}}"

"serviceaccounts.openshift.io/oauth-redirecturi.first":  "custompath"
"serviceaccounts.openshift.io/oauth-redirectreference.first": "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"jenkins\"}}"
"serviceaccounts.openshift.io/oauth-redirecturi.second":  "//:8000"
"serviceaccounts.openshift.io/oauth-redirectreference.second": "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"jenkins\"}}"

"serviceaccounts.openshift.io/oauth-redirectreference.first": "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"jenkins\"}}"
"serviceaccounts.openshift.io/oauth-redirecturi.second": "https://other.com"

{
  "issuer": "https://<master>", 1
  "authorization_endpoint": "https://<master>/oauth/authorize", 2
  "token_endpoint": "https://<master>/oauth/token", 3
  "scopes_supported": [ 4
    "user:full",
    "user:info",
    "user:check-access",
    "user:list-scoped-projects",
    "user:list-projects"
  ],
  "response_types_supported": [ 5
    "code",
    "token"
  ],
  "grant_types_supported": [ 6
    "authorization_code",
    "implicit"
  ],
  "code_challenge_methods_supported": [ 7
    "plain",
    "S256"
  ]
}

$ curl -H "X-Remote-User: <username>" \
     --cacert /etc/origin/master/ca.crt \
     --cert /etc/origin/master/admin.crt \
     --key /etc/origin/master/admin.key \
     -I https://<master-address>/oauth/authorize?response_type=token\&client_id=openshift-challenging-client | grep -oP "access_token=\K[^&]*"

$ curl -u <username>:<password>
'https://<master-address>:8443/oauth/authorize?client_id=openshift-challenging-client&response_type=token' -skv / 1
/ -H "X-CSRF-Token: xxx" 2
*   Trying 10.64.33.43...
* Connected to 10.64.33.43 (10.64.33.43) port 8443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 592 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*        server certificate verification SKIPPED
*        server certificate status verification SKIPPED
*        common name: 10.64.33.43 (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: CN=10.64.33.43
*        start date: Thu, 09 Aug 2018 04:00:39 GMT
*        expire date: Sat, 08 Aug 2020 04:00:40 GMT
*        issuer: CN=openshift-signer@1531109367
*        compression: NULL
* ALPN, server accepted to use http/1.1
* Server auth using Basic with user 'developer'
> GET /oauth/authorize?client_id=openshift-challenging-client&response_type=token HTTP/1.1
> Host: 10.64.33.43:8443
> Authorization: Basic ZGV2ZWxvcGVyOmRzc2Zkcw==
> User-Agent: curl/7.47.0
> Accept: */*
> X-CSRF-Token: xxx
>
< HTTP/1.1 302 Found
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Expires: Fri, 01 Jan 1990 00:00:00 GMT
< Location:
https://10.64.33.43:8443/oauth/token/implicit#access_token=gzTwOq_mVJ7ovHliHBTgRQEEXa1aCZD9lnj7lSw3ekQ&expires_in=86400&scope=user%3Afull&token_type=Bearer 3
< Pragma: no-cache
< Set-Cookie: ssn=MTUzNTk0OTc1MnxIckVfNW5vNFlLSlF5MF9GWEF6Zm55Vl95bi1ZNE41S1NCbFJMYnN1TWVwR1hwZmlLMzFQRklzVXRkc0RnUGEzdnBEa0NZZndXV2ZUVzN1dmFPM2dHSUlzUmVXakQ3Q09rVXpxNlRoVmVkQU5DYmdLTE9SUWlyNkJJTm1mSDQ0N2pCV09La3gzMkMzckwxc1V1QXpybFlXT2ZYSmI2R2FTVEZsdDBzRjJ8vk6zrQPjQUmoJCqb8Dt5j5s0b4wZlITgKlho9wlKAZI=; Path=/; HttpOnly; Secure
< Date: Mon, 03 Sep 2018 04:42:32 GMT
< Content-Length: 0
< Content-Type: text/plain; charset=utf-8
<
* Connection #0 to host 10.64.33.43 left intact

$ curl -u <username>:<password>
'https://<master-address>:8443/oauth/authorize?client_id=openshift-challenging-client&response_type=token' 1
-skv -H "X-CSRF-Token: xxx" --stderr - |  grep -oP "access_token=\K[^&]*" 2

hvqxe5aMlAzvbqfM2WWw3D6tR0R2jCQGKx0viZBxwmc

Authorization policies determine whether a user is allowed to perform a given action within a project. This allows platform administrators to use the cluster policy to control who has various access levels to the OpenShift Container Platform platform itself and all projects. It also allows developers to use local policy to control who has access to their projects. Note that authorization is a separate step from authentication, which is more about determining the identity of who is taking the action.

Authorization is managed using:

Cluster administrators can visualize rules, roles, and bindings using the CLI. For example, consider the following excerpt from viewing a policy, showing rule sets for the admin and basic-user default roles:

admin			Verbs					Resources															Resource Names	Extension
			[create delete get list update watch]	[projects resourcegroup:exposedkube resourcegroup:exposedopenshift resourcegroup:granter secrets]				[]
			[get list watch]			[resourcegroup:allkube resourcegroup:allkube-status resourcegroup:allopenshift-status resourcegroup:policy]			[]
basic-user		Verbs					Resources															Resource Names	Extension
			[get]					[users]																[~]
			[list]					[projectrequests]														[]
			[list]					[projects]															[]
			[create]				[subjectaccessreviews]														[]		IsPersonalSubjectAccessReview

The following excerpt from viewing policy bindings shows the above roles bound to various users and groups:

RoleBinding[admins]:
				Role:	admin
				Users:	[alice system:admin]
				Groups:	[]
RoleBinding[basic-user]:
				Role:	basic-user
				Users:	[joe]
				Groups:	[devel]

The relationships between the the policy roles, policy bindings, users, and developers are illustrated below.

Several factors are combined to make the decision when OpenShift Container Platform evaluates authorization:

OpenShift Container Platform evaluates authorizations using the following steps:

There are two levels of authorization policy:

This two-level hierarchy allows re-usability over multiple projects through the cluster policy while allowing customization inside of individual projects through local policies.

During evaluation, both the cluster bindings and the local bindings are used. For example:

Roles are collections of policy rules, which are sets of permitted verbs that can be performed on a set of resources. OpenShift Container Platform includes a set of default roles that can be added to users and groups in the cluster policy or in a local policy.

Cluster administrators can investigate policy roles by using the oc describe command, which displays a matrix of the Verbs, Non-Resource URLs, Extension, Resource Names,API Groups, and Resources that apply to the policy role.

$ oc describe clusterrole <role>

The rule verbs apply to the objects listed in that row. For example, if the create verb is applied to the serviceaccounts resource, the holder is allowed to create service accounts but no other resource unless otherwise specified in the role matrix.
The verbs are described in the following table.

The following tables show the verb-resource relationships for common cluster and local policy roles.

pods pods/attach pods/exec pods/portforward pods/proxy configmaps endpoints
persistentvolumeclaims replicationcontrollers replicationcontrollers/scale
secrets serviceaccounts services services/proxy horizontalpodautoscalers
cronjobs jobs scheduledjobs deployments deployments/rollback deployments/scale
horizontalpodautoscalers jobs replicasets replicasets/scale
replicationcontrollers/scale statefulsets rolebindings roles
localresourceaccessreviews localsubjectaccessreviews subjectrulesreviews
podsecuritypolicyreviews podsecuritypolicyselfsubjectreviews
podsecuritypolicysubjectreviews buildconfigs buildconfigs/webhooks builds
buildconfigs/instantiate buildconfigs/instantiatebinary builds/clone
deploymentconfigs deploymentconfigs/scale generatedeploymentconfigs
deploymentconfigrollbacks deploymentconfigs/instantiate
deploymentconfigs/rollback imagestreamimages imagestreammappings imagestreams
imagestreams/secrets imagestreamtags imagestreamimports routes
processedtemplates templateconfigs templates buildlogs resourceaccessreviews
subjectaccessreviews

pods pods/attach pods/exec pods/portforward pods/proxy configmaps endpoints
persistentvolumeclaims replicationcontrollers replicationcontrollers/scale
secrets serviceaccounts services services/proxy horizontalpodautoscalers
cronjobs jobs scheduledjobs deployments deployments/rollback deployments/scale
horizontalpodautoscalers jobs replicasets replicasets/scale
replicationcontrollers/scale statefulsets rolebindings roles buildconfigs
buildconfigs/webhooks builds deploymentconfigs deploymentconfigs/scale
generatedeploymentconfigs imagestreamimages imagestreammappings imagestreams
imagestreams/secrets imagestreamtags projects routes processedtemplates
templateconfigs templates buildlogs

pods pods/attach pods/exec pods/portforward pods/proxy configmaps endpoints
persistentvolumeclaims replicationcontrollers replicationcontrollers/scale
secrets serviceaccounts services services/proxy horizontalpodautoscalers
cronjobs jobs scheduledjobs deployments deployments/rollback deployments/scale
horizontalpodautoscalers jobs replicasets replicasets/scale
replicationcontrollers/scale statefulsets rolebindings roles buildconfigs
buildconfigs/webhooks builds deploymentconfigs deploymentconfigs/scale
generatedeploymentconfigs imagestreamimages imagestreammappings imagestreams
imagestreams/secrets imagestreamtags routes processedtemplates templateconfigs
templates buildlogs

pods pods/attach pods/exec pods/portforward pods/proxy configmaps endpoints
persistentvolumeclaims replicationcontrollers replicationcontrollers/scale
secrets serviceaccounts services services/proxy bindings events limitranges
namespaces namespaces/status pods/log pods/status replicationcontrollers/status
resourcequotas resourcequotas/status horizontalpodautoscalers cronjobs jobs
scheduledjobs deployments deployments/rollback deployments/scale
horizontalpodautoscalers jobs replicasets replicasets/scale
replicationcontrollers/scale daemonsets statefulsets rolebindings roles
policies policybindings rolebindingrestrictions buildconfigs
buildconfigs/webhooks builds builds/log deploymentconfigs
deploymentconfigs/scale generatedeploymentconfigs deploymentconfigs/log
deploymentconfigs/status imagestreamimages imagestreammappings imagestreams
imagestreams/secrets imagestreamtags imagestreams/status imagestreams/layers
projects appliedclusterresourcequotas routes routes/status processedtemplates
templateconfigs templates buildlogs resourcequotausages

serviceaccounts

pods pods/attach pods/exec pods/portforward pods/proxy configmaps endpoints
persistentvolumeclaims replicationcontrollers replicationcontrollers/scale
secrets serviceaccounts services services/proxy bindings events limitranges
namespaces namespaces/status pods/log pods/status replicationcontrollers/status
resourcequotas resourcequotas/status horizontalpodautoscalers cronjobs jobs
scheduledjobs deployments deployments/rollback deployments/scale
horizontalpodautoscalers jobs replicasets replicasets/scale
replicationcontrollers/scale daemonsets statefulsets rolebindings roles
policies policybindings rolebindingrestrictions buildconfigs
buildconfigs/webhooks builds builds/log deploymentconfigs
deploymentconfigs/scale generatedeploymentconfigs deploymentconfigs/log
deploymentconfigs/status imagestreamimages imagestreammappings imagestreams
imagestreams/secrets imagestreamtags imagestreams/status
appliedclusterresourcequotas routes routes/status processedtemplates
templateconfigs templates buildlogs resourcequotausages

pods pods/attach pods/exec pods/portforward pods/proxy configmaps endpoints
persistentvolumeclaims replicationcontrollers replicationcontrollers/scale
secrets serviceaccounts services services/proxy horizontalpodautoscalers
cronjobs jobs scheduledjobs deployments deployments/rollback deployments/scale
horizontalpodautoscalers jobs replicasets replicasets/scale
replicationcontrollers/scale statefulsets rolebindings roles buildconfigs
buildconfigs/webhooks builds deploymentconfigs deploymentconfigs/scale
generatedeploymentconfigs imagestreamimages imagestreammappings imagestreams
imagestreams/secrets imagestreamtags projects routes processedtemplates
templateconfigs templates buildlogs

pods pods/attach pods/exec pods/portforward pods/proxy configmaps endpoints
persistentvolumeclaims replicationcontrollers replicationcontrollers/scale
secrets serviceaccounts services services/proxy

pods pods/attach pods/exec pods/portforward pods/proxy configmaps endpoints
persistentvolumeclaims replicationcontrollers replicationcontrollers/scale
secrets serviceaccounts services services/proxy horizontalpodautoscalers
cronjobs jobs scheduledjobs deployments deployments/rollback deployments/scale
horizontalpodautoscalers jobs replicasets replicasets/scale
replicationcontrollers/scale statefulsets rolebindings roles buildconfigs
buildconfigs/webhooks builds deploymentconfigs deploymentconfigs/scale
generatedeploymentconfigs imagestreamimages imagestreammappings imagestreams
imagestreams/secrets imagestreamtags imagestreams/layers projects routes
routes/status processedtemplates templateconfigs templates buildlogs

pods pods/attach pods/exec pods/portforward pods/proxy configmaps endpoints
persistentvolumeclaims replicationcontrollers replicationcontrollers/scale
secrets serviceaccounts services services/proxy bindings events limitranges
namespaces namespaces/status pods/log pods/status replicationcontrollers/status
resourcequotas resourcequotas/status horizontalpodautoscalers cronjobs jobs
scheduledjobs deployments deployments/rollback deployments/scale
horizontalpodautoscalers jobs replicasets replicasets/scale
replicationcontrollers/scale daemonsets statefulsets rolebindings roles
policies policybindings rolebindingrestrictions buildconfigs
buildconfigs/webhooks builds builds/log deploymentconfigs
deploymentconfigs/scale generatedeploymentconfigs deploymentconfigs/log
deploymentconfigs/status imagestreamimages imagestreammappings imagestreams
imagestreams/secrets imagestreamtags imagestreams/status
appliedclusterresourcequotas routes routes/status processedtemplates
templateconfigs templates buildlogs resourcequotausages

selfsubjectrulesreviews localsubjectaccessreviews subjectaccessreviews

users clusterroles

projectrequests clusterroles storageclasses projects

projects

*

pods pods/attach pods/exec pods/portforward pods/proxy configmaps endpoints
persistentvolumeclaims replicationcontrollers replicationcontrollers/scale
secrets serviceaccounts services services/proxy horizontalpodautoscalers
cronjobs jobs scheduledjobs deployments deployments/rollback deployments/scale
horizontalpodautoscalers jobs replicasets replicasets/scale
replicationcontrollers/scale statefulsets buildconfigs buildconfigs/webhooks
builds buildconfigs/instantiate buildconfigs/instantiatebinary builds/clone
deploymentconfigs deploymentconfigs/scale generatedeploymentconfigs
deploymentconfigrollbacks deploymentconfigs/instantiate
deploymentconfigs/rollback imagestreamimages imagestreammappings imagestreams
imagestreams/secrets imagestreamtags imagestreamimports routes
processedtemplates templateconfigs templates buildlogs

pods pods/attach pods/exec pods/portforward pods/proxy configmaps endpoints
persistentvolumeclaims replicationcontrollers replicationcontrollers/scale
secrets serviceaccounts services services/proxy horizontalpodautoscalers
cronjobs jobs scheduledjobs deployments deployments/rollback deployments/scale
horizontalpodautoscalers jobs replicasets replicasets/scale
replicationcontrollers/scale statefulsets buildconfigs buildconfigs/webhooks
builds deploymentconfigs deploymentconfigs/scale generatedeploymentconfigs
imagestreamimages imagestreammappings imagestreams imagestreams/secrets
imagestreamtags routes processedtemplates templateconfigs templates buildlogs

pods pods/attach pods/exec pods/portforward pods/proxy configmaps endpoints
persistentvolumeclaims replicationcontrollers replicationcontrollers/scale
secrets serviceaccounts services services/proxy horizontalpodautoscalers
cronjobs jobs scheduledjobs deployments deployments/rollback deployments/scale
horizontalpodautoscalers jobs replicasets replicasets/scale
replicationcontrollers/scale statefulsets buildconfigs buildconfigs/webhooks
builds deploymentconfigs deploymentconfigs/scale generatedeploymentconfigs
imagestreamimages imagestreammappings imagestreams imagestreams/secrets
imagestreamtags routes processedtemplates templateconfigs templates buildlogs

pods pods/attach pods/exec pods/portforward pods/proxy configmaps endpoints
persistentvolumeclaims replicationcontrollers replicationcontrollers/scale
secrets serviceaccounts services services/proxy bindings events limitranges
namespaces namespaces/status pods/log pods/status replicationcontrollers/status
resourcequotas resourcequotas/status horizontalpodautoscalers cronjobs jobs
scheduledjobs deployments deployments/rollback deployments/scale
horizontalpodautoscalers jobs replicasets replicasets/scale
replicationcontrollers/scale daemonsets statefulsets buildconfigs
buildconfigs/webhooks builds builds/log deploymentconfigs
deploymentconfigs/scale generatedeploymentconfigs deploymentconfigs/log
deploymentconfigs/status imagestreamimages imagestreammappings imagestreams
imagestreams/secrets imagestreamtags imagestreams/status imagestreams/layers
projects appliedclusterresourcequotas routes routes/status processedtemplates
templateconfigs templates buildlogs resourcequotausages

serviceaccounts

pods pods/attach pods/exec pods/portforward pods/proxy configmaps endpoints
persistentvolumeclaims replicationcontrollers replicationcontrollers/scale
secrets serviceaccounts services services/proxy bindings events limitranges
namespaces namespaces/status pods/log pods/status replicationcontrollers/status
resourcequotas resourcequotas/status horizontalpodautoscalers cronjobs jobs
scheduledjobs deployments deployments/rollback deployments/scale
horizontalpodautoscalers jobs replicasets replicasets/scale
replicationcontrollers/scale daemonsets statefulsets buildconfigs
buildconfigs/webhooks builds builds/log deploymentconfigs
deploymentconfigs/scale generatedeploymentconfigs deploymentconfigs/log
deploymentconfigs/status imagestreamimages imagestreammappings imagestreams
imagestreams/secrets imagestreamtags imagestreams/status
appliedclusterresourcequotas routes routes/status processedtemplates
templateconfigs templates buildlogs resourcequotausages

pods pods/attach pods/exec pods/portforward pods/proxy configmaps endpoints
persistentvolumeclaims replicationcontrollers replicationcontrollers/scale
secrets serviceaccounts services services/proxy horizontalpodautoscalers
cronjobs jobs scheduledjobs deployments deployments/rollback deployments/scale
horizontalpodautoscalers jobs replicasets replicasets/scale
replicationcontrollers/scale statefulsets buildconfigs buildconfigs/webhooks
builds deploymentconfigs deploymentconfigs/scale generatedeploymentconfigs
imagestreamimages imagestreammappings imagestreams imagestreams/secrets
imagestreamtags routes processedtemplates templateconfigs templates buildlogs

pods pods/attach pods/exec pods/portforward pods/proxy configmaps endpoints
persistentvolumeclaims replicationcontrollers replicationcontrollers/scale
secrets serviceaccounts services services/proxy

pods pods/attach pods/exec pods/portforward pods/proxy configmaps endpoints
persistentvolumeclaims replicationcontrollers replicationcontrollers/scale
secrets serviceaccounts services services/proxy horizontalpodautoscalers
cronjobs jobs scheduledjobs deployments deployments/rollback deployments/scale
horizontalpodautoscalers jobs replicasets replicasets/scale
replicationcontrollers/scale statefulsets buildconfigs buildconfigs/webhooks
builds deploymentconfigs deploymentconfigs/scale generatedeploymentconfigs
imagestreamimages imagestreammappings imagestreams imagestreams/secrets
imagestreamtags imagestreams/layers routes processedtemplates templateconfigs
templates buildlogs

pods pods/attach pods/exec pods/portforward pods/proxy configmaps endpoints
persistentvolumeclaims replicationcontrollers replicationcontrollers/scale
secrets serviceaccounts services services/proxy bindings events limitranges
namespaces namespaces/status pods/log pods/status replicationcontrollers/status
resourcequotas resourcequotas/status horizontalpodautoscalers cronjobs jobs
scheduledjobs deployments deployments/rollback deployments/scale
horizontalpodautoscalers jobs replicasets replicasets/scale
replicationcontrollers/scale daemonsets statefulsets buildconfigs
buildconfigs/webhooks builds builds/log deploymentconfigs
deploymentconfigs/scale generatedeploymentconfigs deploymentconfigs/log
deploymentconfigs/status imagestreamimages imagestreammappings imagestreams
imagestreams/secrets imagestreamtags imagestreams/status
appliedclusterresourcequotas routes routes/status processedtemplates
templateconfigs templates buildlogs resourcequotausages

projectrequests

configmaps endpoints persistentvolumeclaims pods replicationcontrollers
serviceaccounts services bindings events limitranges namespaces
namespaces/status pods/log pods/status replicationcontrollers/status
resourcequotas resourcequotas/status horizontalpodautoscalers cronjobs jobs
scheduledjobs deployments deployments/scale horizontalpodautoscalers jobs
replicasets replicasets/scale daemonsets statefulsets buildconfigs
buildconfigs/webhooks builds builds/log deploymentconfigs
deploymentconfigs/scale deploymentconfigs/log deploymentconfigs/status
imagestreamimages imagestreammappings imagestreams imagestreamtags
imagestreams/status projects appliedclusterresourcequotas routes routes/status
processedtemplates templateconfigs templates buildlogs resourcequotausages

configmaps endpoints persistentvolumeclaims pods replicationcontrollers
serviceaccounts services bindings events limitranges namespaces
namespaces/status pods/log pods/status replicationcontrollers/status
resourcequotas resourcequotas/status horizontalpodautoscalers cronjobs jobs
scheduledjobs deployments deployments/scale horizontalpodautoscalers jobs
replicasets replicasets/scale daemonsets statefulsets buildconfigs
buildconfigs/webhooks builds builds/log deploymentconfigs
deploymentconfigs/scale deploymentconfigs/log deploymentconfigs/status
imagestreamimages imagestreammappings imagestreams imagestreamtags
imagestreams/status appliedclusterresourcequotas routes routes/status
processedtemplates templateconfigs templates buildlogs resourcequotausages

configmaps endpoints persistentvolumeclaims pods replicationcontrollers
serviceaccounts services bindings events limitranges namespaces
namespaces/status pods/log pods/status replicationcontrollers/status
resourcequotas resourcequotas/status horizontalpodautoscalers cronjobs jobs
scheduledjobs deployments deployments/scale horizontalpodautoscalers jobs
replicasets replicasets/scale daemonsets statefulsets buildconfigs
buildconfigs/webhooks builds builds/log deploymentconfigs
deploymentconfigs/scale deploymentconfigs/log deploymentconfigs/status
imagestreamimages imagestreammappings imagestreams imagestreamtags
imagestreams/status appliedclusterresourcequotas routes routes/status
processedtemplates templateconfigs templates buildlogs resourcequotausages

By default in a local policy, only the binding for the admin role is immediately listed when using the CLI to view local bindings. However, if other default roles are added to users and groups within a local policy, they become listed in the CLI output, as well.

If you find that these roles do not suit you, a cluster-admin user can create a policyBinding object named <projectname>:default with the CLI using a JSON file. This allows the project admin to bind users to roles that are defined only in the <projectname> local policy.

Learn how to create a local role for a project.

$ oc adm policy reconcile-cluster-roles

In addition to authorization policies that control what a user can do, OpenShift Container Platform provides security context constraints (SCC) that control the actions that a pod can perform and what it has the ability to access. Administrators can manage SCCs using the CLI.

SCCs are also very useful for managing access to persistent storage.

SCCs are objects that define a set of conditions that a pod must run with in order to be accepted into the system. They allow an administrator to control the following:

Seven SCCs are added to the cluster by default, and are viewable by cluster administrators using the CLI:

$ oc get scc
NAME               PRIV      CAPS      SELINUX     RUNASUSER          FSGROUP     SUPGROUP    PRIORITY   READONLYROOTFS   VOLUMES
anyuid             false     []        MustRunAs   RunAsAny           RunAsAny    RunAsAny    10         false            [configMap downwardAPI emptyDir persistentVolumeClaim secret]
hostaccess         false     []        MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <none>     false            [configMap downwardAPI emptyDir hostPath persistentVolumeClaim secret]
hostmount-anyuid   false     []        MustRunAs   RunAsAny           RunAsAny    RunAsAny    <none>     false            [configMap downwardAPI emptyDir hostPath persistentVolumeClaim secret]
hostnetwork        false     []        MustRunAs   MustRunAsRange     MustRunAs   MustRunAs   <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim secret]
nonroot            false     []        MustRunAs   MustRunAsNonRoot   RunAsAny    RunAsAny    <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim secret]
privileged         true      []        RunAsAny    RunAsAny           RunAsAny    RunAsAny    <none>     false            [*]
restricted         false     []        MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim secret]

The definition for each SCC is also viewable by cluster administrators using the CLI. For example, for the privileged SCC:

# oc export scc/privileged

allowHostDirVolumePlugin: true
allowHostIPC: true
allowHostNetwork: true
allowHostPID: true
allowHostPorts: true
allowPrivilegedContainer: true
allowedCapabilities: null
apiVersion: v1
defaultAddCapabilities: null
fsGroup: 1
  type: RunAsAny
groups: 2
- system:cluster-admins
- system:nodes
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: 'privileged allows access to all privileged and host
      features and the ability to run as any user, any group, any fsGroup, and with
      any SELinux context.  WARNING: this is the most relaxed SCC and should be used
      only for cluster administration. Grant with caution.'
  creationTimestamp: null
  name: privileged
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities: null
runAsUser: 3
  type: RunAsAny
seLinuxContext: 4
  type: RunAsAny
supplementalGroups: 5
  type: RunAsAny
users: 6
- system:serviceaccount:default:registry
- system:serviceaccount:default:router
- system:serviceaccount:openshift-infra:build-controller
volumes:
- '*'

The users and groups fields on the SCC control which SCCs can be used. By default, cluster administrators, nodes, and the build controller are granted access to the privileged SCC. All authenticated users are granted access to the restricted SCC.

The privileged SCC:

The restricted SCC:

SCCs are comprised of settings and strategies that control the security features a pod has access to. These settings fall into three categories:

From within your OpenShift Container Platform project, you can determine what verbs you can perform against all namespace-scoped resources (including third-party resources). Run:

$ oc policy can-i --list --loglevel=8

The output will help you to determine what API request to make to gather the information.

To receive information back in a user-readable format, run:

$ oc policy can-i --list

The output will provide a full list.

To determine if you can perform specific verbs, run:

$ oc policy can-i <verb> <resource>

User scopes can provide more information about a given scope. For example:

$ oc policy can-i <verb> <resource> --scopes=user:info

Managing storage is a distinct problem from managing compute resources. OpenShift Container Platform leverages the Kubernetes persistent volume (PV) framework to allow administrators to provision persistent storage for a cluster. Using persistent volume claims (PVCs), developers can request PV resources without having specific knowledge of the underlying storage infrastructure.

PVCs are specific to a project and are created and used by developers as a means to use a PV. PV resources on their own are not scoped to any single project; they can be shared across the entire OpenShift Container Platform cluster and claimed from any project. After a PV has been bound to a PVC, however, that PV cannot then be bound to additional PVCs. This has the effect of scoping a bound PV to a single namespace (that of the binding project).

PVs are defined by a PersistentVolume API object, which represents a piece of existing networked storage in the cluster that has been provisioned by an administrator. It is a resource in the cluster just like a node is a cluster resource. PVs are volume plug-ins like Volumes, but have a lifecycle independent of any individual pod that uses the PV. PV objects capture the details of the implementation of the storage, be that NFS, iSCSI, or a cloud-provider-specific storage system.

PVCs are defined by a PersistentVolumeClaim API object, which represents a request for storage by a developer. It is similar to a pod in that pods consume node resources and PVCs consume PV resources. For example, pods can request specific levels of resources (e.g., CPU and memory), while PVCs can request specific storage capacity and access modes (e.g, they can be mounted once read/write or many times read-only).

PVs are resources in the cluster. PVCs are requests for those resources and also act as claim checks to the resource. The interaction between PVs and PVCs have the following lifecycle.

Each PV contains a spec and status, which is the specification and status of the volume.

  apiVersion: v1
  kind: PersistentVolume
  metadata:
    name: pv0003
  spec:
    capacity:
      storage: 5Gi
    accessModes:
      - ReadWriteOnce
    persistentVolumeReclaimPolicy: Recycle
    nfs:
      path: /tmp
      server: 172.17.0.2

Each PVC contains a spec and status, which is the specification and status of the claim.

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: myclaim
  annotations:
    volume.beta.kubernetes.io/storage-class: gold
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi

kind: Pod
apiVersion: v1
metadata:
  name: mypod
spec:
  containers:
    - name: myfrontend
      image: dockerfile/nginx
      volumeMounts:
      - mountPath: "/var/www/html"
        name: mypd
  volumes:
    - name: mypd
      persistentVolumeClaim:
        claimName: myclaim

OpenShift Container Platform takes advantage of a feature built into Kubernetes to support executing commands in containers. This is implemented using HTTP along with a multiplexed streaming protocol such as SPDY or HTTP/2.

Developers can use the CLI to execute remote commands in containers.

The Kubelet handles remote execution requests from clients. Upon receiving a request, it upgrades the response, evaluates the request headers to determine what streams (stdin, stdout, and/or stderr) to expect to receive, and waits for the client to create the streams.

After the Kubelet has received all the streams, it executes the command in the container, copying between the streams and the command’s stdin, stdout, and stderr, as appropriate. When the command terminates, the Kubelet closes the upgraded connection, as well as the underlying one.

Architecturally, there are options for running a command in a container. The supported implementation currently in OpenShift Container Platform invokes nsenter directly on the node host to enter the container’s namespaces prior to executing the command. However, custom implementations could include using docker exec, or running a "helper" container that then runs nsenter so that nsenter is not a required binary that must be installed on the host.

OpenShift Container Platform takes advantage of a feature built-in to Kubernetes to support port forwarding to pods. This is implemented using HTTP along with a multiplexed streaming protocol such as SPDY or HTTP/2.

Developers can use the CLI to port forward to a pod. The CLI listens on each local port specified by the user, forwarding via the described protocol.

The Kubelet handles port forward requests from clients. Upon receiving a request, it upgrades the response and waits for the client to create port forwarding streams. When it receives a new stream, it copies data between the stream and the pod’s port.

Architecturally, there are options for forwarding to a pod’s port. The supported implementation currently in OpenShift Container Platform invokes nsenter directly on the node host to enter the pod’s network namespace, then invokes socat to copy data between the stream and the pod’s port. However, a custom implementation could include running a "helper" pod that then runs nsenter and socat, so that those binaries are not required to be installed on the host.

Admission control plug-ins intercept requests to the master API prior to persistence of a resource, but after the request is authenticated and authorized.

Each admission control plug-in is run in sequence before a request is accepted into the cluster. If any plug-in in the sequence rejects the request, the entire request is rejected immediately, and an error is returned to the end-user.

Admission control plug-ins may modify the incoming object in some cases to apply system configured defaults. In addition, admission control plug-ins may modify related resources as part of request processing to do things such as incrementing quota usage.

Starting in 3.3, OpenShift Container Platform uses a single admission chain for Kubernetes and OpenShift Container Platform resources. This changed from 3.2, and before where we had separate admission chains. This means that the top-level admissionConfig.pluginConfig element can now contain the admission plug-in configuration, which used to be contained in kubernetesMasterConfig.admissionConfig.pluginConfig.

The kubernetesMasterConfig.admissionConfig.pluginConfig should be moved and merged into admissionConfig.pluginConfig.

Also, starting in 3.3, all the supported admission plug-ins are ordered in the single chain for you. You should no longer set admissionConfig.pluginOrderOverride or the kubernetesMasterConfig.admissionConfig.pluginOrderOverride. Instead, you should enable plug-ins that are off by default by either adding their plug-in-specific configuration, or adding a DefaultAdmissionConfig stanza like this:

admissionConfig:
  pluginConfig:
    AlwaysPullImages: 1
      configuration:
        kind: DefaultAdmissionConfig
        apiVersion: v1
        disable: false 2

Setting disable to true will disable an admission plug-in that defaults to on.

Cluster administrators can configure some admission control plug-ins to control certain behavior, such as:

Admission controllers using containers also support init containers.

A limit range provides a mechanism to enforce min/max limits placed on resources in a Kubernetes namespace.

By adding a limit range to your namespace, you can enforce the minimum and maximum amount of CPU and Memory consumed by an individual pod or container.

Kubernetes can limit both the number of objects created in a namespace, and the total amount of resources requested across objects in a namespace. This facilitates sharing of a single Kubernetes cluster by several teams, each in a namespace, as a mechanism of preventing one team from starving another team of cluster resources.

See Cluster Administrationfor more information on ResourceQuota.

A Kubernetes Resource is something that can be requested by, allocated to, or consumed by a pod or container. Examples include memory (RAM), CPU, disk-time, and network bandwidth.

See the Developer Guidefor more information.

Secrets are storage for sensitive information, such as keys, passwords, and certificates. They are accessible by the intended pod(s), but held separately from their definitions.

A persistent volume is an object (PersistentVolume) in the infrastructure provisioned by the cluster administrator. Persistent volumes provide durable storage for stateful applications..

A PersistentVolumeClaim object is a request for storage by a pod author. Kubernetes matches the claim against the pool of available volumes and binds them together. The claim is then used as a volume by a pod. Kubernetes makes sure the volume is available on the same node as the pod that requires it.