Did you find any solution for this?
On Fri, 15 Sep 2017 at 01:34 Mateus Caruccio <[email protected]>
wrote:
> Yep, there it is:
>
> [OSEv3:children]
> masters
> etcd
> nodes
>
> [OSEv3:vars]
> deployment_type=origin
> openshift_release=v3.6
> debug_level=1
> openshift_debug_level=1
> openshift_node_debug_level=1
> openshift_master_debug_level=1
> openshift_master_access_token_max_seconds=2419200
> osm_cluster_network_cidr=172.16.0.0/16
> openshift_registry_selector="docker-registry=true"
> openshift_hosted_registry_replicas=1
>
> openshift_master_cluster_hostname=api-cluster.example.com.br
> openshift_master_cluster_public_hostname=api-cluster.example.com.br
> osm_default_subdomain=example.com.br
> openshift_master_default_subdomain=example.com.br
> osm_default_node_selector="role=app"
> os_sdn_network_plugin_name=redhat/openshift-ovs-multitenant
> openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login':
> 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider',
> 'filename': '/etc/origin/master/htpasswd'}]
> osm_use_cockpit=false
> containerized=False
>
> openshift_master_cluster_method=native
> openshift_master_console_port=443
> openshift_master_api_port=443
>
> openshift_master_overwrite_named_certificates=true
> openshift_master_named_certificates=[{"certfile":"{{lookup('env','PWD')}}/certs/wildcard.example.com.br.crt","keyfile":"{{lookup('env','PWD')}}/certs/wildcard.example.com.br.key",
> "cafile":"{{lookup('env','PWD')}}/certs/wildcard.example.com.br.int.crt"}]
>
> openshift_master_session_auth_secrets=['F71uoyI/Tkv/LiDH2PiFKK1o76bLoH10+uE2a']
>
> openshift_master_session_encryption_secrets=['bjDwQfiy4ksB/3qph87BGulYb/GUho6K']
> openshift_master_audit_config={"enabled": true, "auditFilePath":
> "/var/log/openshift-audit/openshift-audit.log", "maximumFileRetentionDays":
> 30, "maximumFileSizeMegabytes": 500, "maximumRetainedFiles": 10}
>
> openshift_ca_cert_expire_days=1825
> openshift_node_cert_expire_days=730
> openshift_master_cert_expire_days=730
> etcd_ca_default_days=1825
>
> openshift_hosted_router_create_certificate=false
> openshift_hosted_manage_router=true
> openshift_router_selector="role=infra"
> openshift_hosted_router_replicas=2
> openshift_hosted_router_certificate={"certfile":"{{lookup('env','PWD')}}/certs/wildcard.example.com.br.crt","keyfile":"{{lookup('env','PWD')}}/certs/wildcard.example.com.br.key",
> "cafile":"{{lookup('env','PWD')}}/certs/wildcard.example.com.br.int.crt"}
>
> openshift_hosted_metrics_deploy=true
> openshift_hosted_metrics_public_url=
> https://hawkular-metrics.example.com.br/hawkular/metrics
>
> openshift_hosted_logging_deploy=true
> openshift_hosted_logging_hostname=kibana.example.com.br
>
> openshift_install_examples=true
>
> openshift_node_kubelet_args={'pods-per-core': ['20'], 'max-pods': ['100'],
> 'image-gc-high-threshold': ['80'], 'image-gc-low-threshold':
> ['50'],'minimum-container-ttl-duration': ['60s'],
> 'maximum-dead-containers-per-container': ['1'], 'maximum-dead-containers':
> ['15']}
>
> logrotate_scripts=[{"name": "syslog", "path":
> "/var/log/cron\n/var/log/maillog\n/var/log/messages\n/var/log/secure\n/var/log/spooler\n",
> "options": ["daily", "rotate 7", "compress", "sharedscripts", "missingok"],
> "scripts": {"postrotate": "/bin/kill -HUP `cat /var/run/syslogd.pid 2>
> /dev/null` 2> /dev/null || true"}}]
>
> openshift_builddefaults_image_labels=[{'name':'builder','value':'true'}]
> openshift_builddefaults_nodeselectors={'builder':'true'}
> openshift_builddefaults_annotations={'builder':'true'}
> openshift_builddefaults_resources_requests_cpu=10m
> openshift_builddefaults_resources_requests_memory=128Mi
> openshift_builddefaults_resources_limits_cpu=500m
> openshift_builddefaults_resources_limits_memory=2Gi
>
> openshift_upgrade_nodes_serial=1
> openshift_upgrade_nodes_max_fail_percentage=0
> openshift_upgrade_control_plane_nodes_serial=1
> openshift_upgrade_control_plane_nodes_max_fail_percentage=0
>
> openshift_disable_check=disk_availability,memory_availability
>
> [masters]
> e001vmov40p42
> e001vmov40p51
> e001vmov40p52
>
> [etcd]
> e001vmov40p42
> e001vmov40p51
> e001vmov40p52
>
> [nodes]
> e001vmov40p42 openshift_node_labels="{'role': 'master'}"
> e001vmov40p51 openshift_node_labels="{'role': 'master'}"
> e001vmov40p52 openshift_node_labels="{'role': 'master'}"
>
> e001vmov40p45 openshift_node_labels="{'role': 'infra',
> 'docker-registry':'true', 'logging':'true'}"
> e001vmov40p46 openshift_node_labels="{'role': 'infra', 'metrics': 'true'}"
>
> e001vmov40p47 openshift_node_labels="{'role': 'app', 'builder': 'true'}"
> e001vmov40p48 openshift_node_labels="{'role': 'app', 'builder': 'true'}"
> e001vmov40p49 openshift_node_labels="{'role': 'app', 'builder': 'true'}"
>
>
>
>
>
> --
> Mateus Caruccio / Master of Puppets
> GetupCloud.com
> We make the infrastructure invisible
> Gartner Cool Vendor 2017
>
> 2017-09-14 10:13 GMT-03:00 Matthew Wringe <[email protected]>:
>
>> We had an issue where it was not possible for normal users to view their
>> metrics (but cluster-admin users could). But I didn't think this made it
>> into any releases.
>>
>> Would it be possible to attach the inventory file used?
>>
>> On Thu, Sep 14, 2017 at 8:34 AM, Paul Weil <[email protected]> wrote:
>>
>>> Including some metrics folks. Matt/Jeff?
>>>
>>> On Wed, Sep 13, 2017 at 9:44 PM, Mateus Caruccio <
>>> [email protected]> wrote:
>>>
>>>> Answering my own question, that "namespace" field on audit log refers
>>>> to the unamespaced resource "/oapi/v1/subjectaccessreviews", not the
>>>> subject access review object of the request.
>>>>
>>>> Still, the problem persists...
>>>>
>>>> --
>>>> Mateus Caruccio / Master of Puppets
>>>> GetupCloud.com
>>>> We make the infrastructure invisible
>>>> Gartner Cool Vendor 2017
>>>>
>>>> 2017-09-13 22:39 GMT-03:00 Mateus Caruccio <
>>>> [email protected]>:
>>>>
>>>>> Audit logs show this:
>>>>>
>>>>> 2017-09-13T22:18:43.907186125-03:00 AUDIT:
>>>>> id="cf075af6-c8a7-4b3c-8727-4ad2aefa0a49" ip="10.150.10.35" method="POST"
>>>>> user="mateus"
>>>>> groups="\"system:authenticated:oauth\",\"system:authenticated\""
>>>>> as="<self>" asgroups="<lookup>" namespace="<none>"
>>>>> uri="/oapi/v1/subjectaccessreviews"
>>>>> 2017-09-13T22:18:43.941696064-03:00 AUDIT:
>>>>> id="cf075af6-c8a7-4b3c-8727-4ad2aefa0a49" response="201"
>>>>>
>>>>> I'm I wrong o that "namespace" field should be not <none>?
>>>>>
>>>>>
>>>>> --
>>>>> Mateus Caruccio / Master of Puppets
>>>>> GetupCloud.com
>>>>> We make the infrastructure invisible
>>>>> Gartner Cool Vendor 2017
>>>>>
>>>>> 2017-09-13 20:31 GMT-03:00 Mateus Caruccio <
>>>>> [email protected]>:
>>>>>
>>>>>> After a fresh Origin 3.6.0, hawkular returns only 403 Forbiden.
>>>>>> What is the auth path used by hawkular and how can I check if it's
>>>>>> correct (secrets, servicaccounts, token, etc)?
>>>>>>
>>>>>> $ oc version
>>>>>> oc v3.6.0+c4dd4cf
>>>>>> kubernetes v1.6.1+5115d708d7
>>>>>> features: Basic-Auth GSSAPI Kerberos SPNEGO
>>>>>>
>>>>>> Server <redacted>
>>>>>> openshift v3.6.0+c4dd4cf
>>>>>> kubernetes v1.6.1+5115d708d7
>>>>>>
>>>>>>
>>>>>> $ oc -n openshift-infra get rc -o yaml | grep image:
>>>>>> image: docker.io/openshift/origin-metrics-cassandra:v3.6.0
>>>>>> image:
>>>>>> docker.io/openshift/origin-metrics-hawkular-metrics:v3.6.0
>>>>>> image: docker.io/openshift/origin-metrics-heapster:v3.6.0
>>>>>>
>>>>>>
>>>>>> $ oc -n openshift-infra get pods
>>>>>> NAME READY STATUS RESTARTS AGE
>>>>>> hawkular-cassandra-1-vg250 1/1 Running 0 42m
>>>>>> hawkular-metrics-4rkn4 1/1 Running 0 38m
>>>>>> heapster-fjg8t 1/1 Running 1 50m
>>>>>>
>>>>>>
>>>>>> $ oadm diagnostics MetricsApiProxy
>>>>>> [Note] Determining if client configuration exists for client/cluster
>>>>>> diagnostics
>>>>>> Info: Successfully read a client config file at
>>>>>> '/home/getup/.kube/config'
>>>>>> Info: Using context for cluster-admin access:
>>>>>> 'default/<redacted>:443/system:admin'
>>>>>>
>>>>>> [Note] Running diagnostic: MetricsApiProxy
>>>>>> Description: Check the integrated heapster metrics can be
>>>>>> reached via the API proxy
>>>>>>
>>>>>> [Note] Summary of diagnostics execution (version v3.6.0+c4dd4cf):
>>>>>> [Note] Completed with no errors or warnings seen.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>> --
>>>>>> Mateus Caruccio / Master of Puppets
>>>>>> GetupCloud.com
>>>>>> We make the infrastructure invisible
>>>>>> Gartner Cool Vendor 2017
>>>>>>
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> dev mailing list
>>>> [email protected]
>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>>>
>>>>
>>>
>>
> _______________________________________________
> dev mailing list
> [email protected]
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
_______________________________________________
dev mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
