Re: Custom SCC assigned to wrong pods

2018-06-18 Thread Jordan Liggitt
thoughts ? Thanks ! On Wed, May 23, 2018 at 11:18 PM, Daniel Comnea wrote: > I see the rational, thank you for quick response and knowledge. > > On Wed, May 23, 2018 at 10:59 PM, Jordan Liggitt > wrote: > >> By making your SCC available to all authenticated users, it get

Re: Custom SCC assigned to wrong pods

2018-05-23 Thread Jordan Liggitt
By making your SCC available to all authenticated users, it gets added to the set considered for every pod run by every service account: users: - system:serviceaccount:foo:foo-sa groups: - system:authenticated If you want to limit it to just your foo-sa service account, you should remove the

Re: SCC privileged not applying

2017-12-19 Thread Jordan Liggitt
> On Dec 19, 2017, at 1:49 AM, Weiwei Jiang wrote: > > But the scc is trying to verify the creater account(you can see this with > audit enabled), and should be daemonset-controller or something like this but > not the given serviceaccount). That's not accurate. You can give

Re: add role for LDAP user with short name

2017-09-18 Thread Jordan Liggitt
You likely want to specify sAMAccountName as the preferred username attribute. Note that this would only apply to new users. Existing users would retain their long username. On Sep 18, 2017, at 11:07 PM, Tran Tien Dung wrote: Hi everyone, I user LDAP to login openshift,

Re: Why openshift requires DNS server

2017-07-13 Thread Jordan Liggitt
> Why does separate dns server need? Could kube-dns be used? kube-dns is actually a separate dns server as well. Openshift's DNS implementation resolves some of the scalability issues kube-dns has and is preferred On Jul 13, 2017, at 6:20 AM, Haoran Wang wrote: Hi, 1. when

Re: OpenShift Origin Active Directory Authentication

2017-07-12 Thread Jordan Liggitt
yscorp> [image: Grey_GP] >> <https://plus.google.com/+UnisysCorp/posts>[image: Grey_YT] >> <http://www.youtube.com/theunisyschannel>[image: Grey_FB] >> <http://www.facebook.com/unisyscorp>[image: Grey_Vimeo] >> <https://vimeo.com/unisys>[image: Grey_UB] &l

Re: OpenShift Origin Active Directory Authentication

2017-07-12 Thread Jordan Liggitt
com/company/unisys> [image: > Grey_TW] <http://twitter.com/unisyscorp> [image: Grey_GP] > <https://plus.google.com/+UnisysCorp/posts>[image: Grey_YT] > <http://www.youtube.com/theunisyschannel>[image: Grey_FB] > <http://www.facebook.com/unisyscorp>[image: Grey_Vime

Re: OpenShift Origin Active Directory Authentication

2017-07-12 Thread Jordan Liggitt
inkedin.com/company/unisys> [image: > Grey_TW] <http://twitter.com/unisyscorp> [image: Grey_GP] > <https://plus.google.com/+UnisysCorp/posts>[image: Grey_YT] > <http://www.youtube.com/theunisyschannel>[image: Grey_FB] > <http://www.facebook.com/unisyscorp>[image

Re: OpenShift Origin Active Directory Authentication

2017-07-12 Thread Jordan Liggitt
On Wed, Jul 12, 2017 at 10:41 PM, Werner, Mark wrote: > I am wondering why, if I perform a “oc get identity” that the only > identity that is returned is allow_all? If I changed the master-config.yaml > file to only have the Identity Provider

Re: API health or status page

2017-02-09 Thread Jordan Liggitt
document which explains? > > > > > > -- > > *Srinivas Kotaru* > > > > *From: *Jordan Liggitt <jligg...@redhat.com> > *Date: *Thursday, February 9, 2017 at 1:57 PM > *To: *Srinivas Naga Kotaru <skot...@cisco.com> > *Cc: *dev <dev@lists.openshift.redhat.com&g

Re: Important: hold on installing/upgrading to Origin 1.4.0

2017-01-24 Thread Jordan Liggitt
Origin 1.4.1 is now available and fixes this issue. https://github.com/openshift/origin/releases/tag/v1.4.1 On Mon, Jan 23, 2017 at 11:04 AM, Jordan Liggitt <jligg...@redhat.com> wrote: > An issue[1] was reported that upgrading to 1.4.0 causes existing user > logins to

Re: Upstream PRs to Origin are on hold pending the rebase

2017-01-03 Thread Jordan Liggitt
Also, the security issue with kube 1.5 was an issue with authorization related to authenticated/anonymous users. Because OpenShift has always distinguished between those types of users in authentication and authorization, the issue does not affect OpenShift. On Tue, Jan 3, 2017 at 2:13 PM, Marky

Re: enable logs for openshift master

2016-12-22 Thread Jordan Liggitt
Passing `--loglevel=5` to `openshift start master` prints verbose logs On Thu, Dec 22, 2016 at 9:42 AM, Pri wrote: > Hi, > > Is there a way we can enable DEBUG logs for openshift master, may be by > editing master-config.yaml. Please let me know if its possible? >

Re: cluster wide service acount

2016-12-01 Thread Jordan Liggitt
; cae-ops-token-jdhezkubernetes.io/service-account-token > 3 1h > > > > 1st token being used for Docker. Was wondering about other 2 tokens. > > > > -- > > *Srinivas Kotaru* > > > > *From: *Jordan Liggitt <jligg...@redhat.com> > *Date:

Re: cluster wide service acount

2016-12-01 Thread Jordan Liggitt
e a way to log in with a service account > token. > > > > On Thu, Dec 1, 2016 at 3:19 PM, Srinivas Naga Kotaru (skotaru) < > skot...@cisco.com> wrote: > > Jordan > > > > That helps. Thanks for quick help. > > > > Can we use this sa account to

Re: cluster wide service acount

2016-12-01 Thread Jordan Liggitt
t; Jordan > > > > That helps. Thanks for quick help. > > > > Can we use this sa account to login into console and OC clinet? If yes > how? I knew SA account only has non expired token but no password > > > > > > -- > > *Srinivas Kotaru* > > &

Re: cluster wide service acount

2016-12-01 Thread Jordan Liggitt
Service accounts exist within a namespace but can be granted permissions across the entire cluster, just like any other user. For example: oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:openshift-infra:monitor-service-account On Thu, Dec 1, 2016 at 3:02 PM, Srinivas

Re: The API version v1 for kind BuildConfig is not supported by this server.

2016-11-17 Thread Jordan Liggitt
What setup method did you use? Check your /etc/origin/master/master-config.yaml to see if it contains a "disabledFeatures" field that includes "Builder". On Fri, Nov 18, 2016 at 12:28 AM, irvan hendrik wrote: > Hi, > I am completely new with OpenShift and docker. I

Re: namedCertificates not working

2016-11-15 Thread Jordan Liggitt
Are you seeing this from a system where you previously logged in to that URL using oc with the non-prod CA bundle? When configured to use a non-system-roots ca bundle, oc remembers it in the local user's kubeconfig file ($KUBECONFIG or ~/.kube/config). Try moving (or removing) the kubeconfig file

Re: keystonepasswd auth

2016-04-14 Thread Jordan Liggitt
ing. Project scoped ones usually used. > > Most resources in openstack is bound to the project and not the user, so > hence the need for scoped tokens. > > Thanks, > Kevin > ------ > *From:* Jordan Liggitt [jligg...@redhat.com] > *Sent:* Thursday, Apri

Re: keystonepasswd auth

2016-04-14 Thread Jordan Liggitt
vin@pnnl.gov> wrote: > keystone v3 renamed tenant to project. Otherwise, should be the same. > > Thanks, > Kevin > > > -- > *From:* dev-boun...@lists.openshift.redhat.com [ > dev-boun...@lists.openshift.redhat.com] on behalf of Jordan Liggitt

Re: keystonepasswd auth

2016-04-14 Thread Jordan Liggitt
The OpenShift Keystone IDP integration only supports the v3 Keystone API. I don't see any discussion of tenants in the doc for that API ( http://developer.openstack.org/api-ref-identity-v3.html) On Thu, Apr 14, 2016 at 12:06 PM, Chmouel Boudjnah wrote: > Hello, > > I was