Re: How to retrieve session token via rest api?

2018-08-02 Thread Aleksandar Kostadinov 

Hi,

I have a blog about it [1]. HTH

[1] http://rboci.blogspot.com/2015/07/openshift-v3-rest-api-usage.html

Yu Wei wrote on 08/01/18 12:24:

Hi guys,

I could get session token via cli "oc whoami -t".

Could I get the same information via rest api?

I tried with api below, however, it returned many tokens.

Is there any method to filter that?

curl -k \
     -H "Authorization: Bearer 
yqqouu8vFaip9AjMChmcgdtY7AszXMxWWJHwWhpn8Lw" \

     -H 'Accept: application/json' \
https://10.1.241.54:8443/oapi/v1/oauthaccesstokens

Thanks,

Jared



___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users



___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: How to retrieve session token via rest api?

2018-08-02 Thread Graham Dumpleton 
You can see what commands do by adding '--loglevel 9' option.

oc whoami -t --loglevel 9

What you will find in this case though is that for that token in particular it 
doesn't actually make any API calls, as all it is doing is getting it from the 
~/.kube/config file.

What do you want to use the token for? There may be more appropriate ways of 
creating a token you can use.

Graham

> On 1 Aug 2018, at 2:54 pm, Yu Wei  wrote:
> 
> Hi guys,
> 
> I could get session token via cli "oc whoami -t".
> 
> Could I get the same information via rest api?
> 
> I tried with api below, however, it returned many tokens. 
> Is there any method to filter that?
> curl -k \
> -H "Authorization: Bearer yqqouu8vFaip9AjMChmcgdtY7AszXMxWWJHwWhpn8Lw" \
> -H 'Accept: application/json' \
> https://10.1.241.54:8443/oapi/v1/oauthaccesstokens 
> 
> Thanks,
> 
> Jared
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: User "admin" cannot get securitycontextconstraints at the cluster scope

2018-08-02 Thread Graham Dumpleton 
For Minishift I believe you can run:

oc adm policy add-scc-to-user anyuid -z default -n tomcat8 --as system:admin

So use user impersonation to run as system:admin.

> On 2 Aug 2018, at 6:46 pm, Clayton Coleman  wrote:
> 
> User “admin” (that’s the user name) must be given real admin
> privileges to perform that action, which the error is telling you you
> don’t have.
> 
> You must run as a cluster admin or other highly privileged user in
> order to modify the security rules.  The only user that has that by
> default is the system:admin user the initial install creates.
> 
>> On Aug 1, 2018, at 9:15 PM, Traiano Welcome  wrote:
>> 
>> Hi
>> 
>> I was working through the O'Reilly book "OpenShift for developers" but the 
>> example on page 75, where tomcat8 is run fails:
>> 
>> - The container remains in crashloop backoff
>> - The logs show the container is having permission issues:
>> 
>> 
>> Aug 02, 2018 1:03:47 AM org.apache.catalina.startup.Catalina load
>> WARNING: Unable to load server configuration from 
>> [/usr/local/tomcat/conf/server.xml]
>> Aug 02, 2018 1:03:47 AM org.apache.catalina.startup.Catalina load
>> WARNING: Permissions incorrect, read permission is not allowed on the file.
>> Aug 02, 2018 1:03:47 AM org.apache.catalina.startup.Catalina start
>> SEVERE: Cannot start server. Server instance is not configured.
>> 
>> 
>> - This appears to be due to openshift/minishift not allowing containers to 
>> run as root
>> - I try installing the anyuid addon and running this command:
>> - oc adm policy add-scc-to-user anyuid -z default -n tomcat8
>> - However it fails with this error despite the anyuid addon being applied:
>> 
>> 
>> Error from server (Forbidden): securitycontextconstraints "anyuid" is 
>> forbidden: User "admin" cannot get securitycontextconstraints at the cluster 
>> scope: User "admin" cannot get securitycontextconstraints at the cluster 
>> scope
>> 
>> 
>> 
>> How do I fix this?
>> 
>> Thanks in advance,
>> Traiano
>> 
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users


___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: how to query openshift api-version ?

2018-08-02 Thread Maciej Szulik 
Already oc 3.10 contains the api-versions and api-resources subcommands.

On Thu, Aug 2, 2018 at 6:31 AM Nakayama Kenjiro 
wrote:

> "oc api-versions" is available on the latest binary. (For example, I
> tested with v3.11.0-alpha.0+bb11f51-481 as below).
> Having said that, both kubectl and oc api-versions should get same result,
> as both hit to https:///apis.
>
>   $ _output/local/bin/linux/amd64/oc api-versions
>   admissionregistration.k8s.io/v1beta1
>   apiextensions.k8s.io/v1beta1
>   apiregistration.k8s.io/v1
>   apiregistration.k8s.io/v1beta1
>   apps.openshift.io/v1
>   apps/v1
>   apps/v1beta1
>   apps/v1beta2
>   authentication.k8s.io/v1
>   authentication.k8s.io/v1beta1
>   authorization.k8s.io/v1
>   authorization.k8s.io/v1beta1
>   authorization.openshift.io/v1
>   autoscaling/v1
>   autoscaling/v2beta1
>   batch/v1
>   batch/v1beta1
>   build.openshift.io/v1
>   certificates.k8s.io/v1beta1
>   events.k8s.io/v1beta1
>   extensions/v1beta1
>   image.openshift.io/v1
>   monitoring.coreos.com/v1
>   network.openshift.io/v1
>   networking.k8s.io/v1
>   oauth.openshift.io/v1
>   policy/v1beta1
>   project.openshift.io/v1
>   quota.openshift.io/v1
>   rbac.authorization.k8s.io/v1
>   rbac.authorization.k8s.io/v1beta1
>   route.openshift.io/v1
>   security.openshift.io/v1
>   settings.k8s.io/v1alpha1
>   storage.k8s.io/v1
>   storage.k8s.io/v1beta1
>   template.openshift.io/v1
>   user.openshift.io/v1
>   v1
>
>   $ _output/local/bin/linux/amd64/oc version
>   oc v3.11.0-alpha.0+bb11f51-481
>   kubernetes v1.11.0+d4cacc0
>   features: Basic-Auth GSSAPI Kerberos SPNEGO
>
>
> On Thu, Aug 2, 2018 at 10:39 AM, Jack Hu  wrote:
>
>> Hi ,
>>
>> I know k8s has "kubectl api-versions " , but oc no such command , now
>> how to query openshift api-version ?
>>
>>
>>
>>
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
>
>
> --
> Kenjiro NAKAYAMA 
> GPG Key fingerprint = ED8F 049D E67A 727D 9A44  8E25 F44B E208 C946 5EB9
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: User "admin" cannot get securitycontextconstraints at the cluster scope

2018-08-02 Thread Maciej Szulik 
On Thu, Aug 2, 2018 at 3:16 AM Traiano Welcome  wrote:

> Hi
>
> I was working through the O'Reilly book "OpenShift for developers" but the
> example on page 75, where tomcat8 is run fails:
>
> - The container remains in crashloop backoff
> - The logs show the container is having permission issues:
>
> 
> Aug 02, 2018 1:03:47 AM org.apache.catalina.startup.Catalina load
> WARNING: Unable to load server configuration from
> [/usr/local/tomcat/conf/server.xml]
> Aug 02, 2018 1:03:47 AM org.apache.catalina.startup.Catalina load
> WARNING: Permissions incorrect, read permission is not allowed on the file.
> Aug 02, 2018 1:03:47 AM org.apache.catalina.startup.Catalina start
> SEVERE: Cannot start server. Server instance is not configured.
> 
>
> - This appears to be due to openshift/minishift not allowing containers to
> run as root
> - I try installing the anyuid addon and running this command:
> - oc adm policy add-scc-to-user anyuid -z default -n tomcat8
> - However it fails with this error despite the anyuid addon being applied:
>
> 
> Error from server (Forbidden): securitycontextconstraints "anyuid" is
> forbidden: User "admin" cannot get securitycontextconstraints at the
> cluster scope: User "admin" cannot get securitycontextconstraints at the
> cluster scope
> 
>

anyuid scc is to allow the container to run as root inside the container.
>From the description you've provided it looks like you're trying to contact
OpenShift API to get the list of SCC-s, in which case your container's
ServiceAccount must allow doing so. I'd recommend having a look at the
docs, which explain in greater details what SA are [1], and what SCC are
[2].

[1] https://docs.openshift.org/latest/dev_guide/service_accounts.html
[2]
https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#security-context-constraints

Maciej



>
>
> How do I fix this?
>
> Thanks in advance,
> Traiano
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users