The Book of Knowledge

OpenShiftAccounts.md

Managing Accounts in OpenShift / Kubernetes

Create an Admin Service Account

# Define Service Account Name and Namespace

# Do not create cluster-wide SA unless you have a really good reason

SA=svc-dgf-edm-us-dev-admin
NS=dgf-edm-us-dev

# Create the Service Account

oc -n "$NS" create sa $SA

# Add Roles, in this case "admin"

oc policy add-role-to-user admin system:serviceaccount:$NS:$SA
oc describe sa svc-dgf-edm-us-dev-admin

# Verify assigned roles - note the funky quoting around $SA

oc get clusterrolebindings -o json | jq '.items[] | select(.subjects[0].name=="'$SA'")' | jq '.roleRef.name'

# Export the login token

oc -n "$NS"  get secret svc-dgf-edm-us-dev-admin-token-qscd2  -o yaml | oc neat -f - > svc-dgf-edm-us-dev-admin-token-qscd2.yaml

The Book of Knowledge

• OpenShiftNetwork.md
• Miscellaneous OpenShift / Kubernetes Network Tricks

• Get Ingress Router Logs

OpenShiftNetwork.md

Miscellaneous OpenShift / Kubernetes Network Tricks

Get Ingress Router Logs

Namespace is openshift-ingress; router pods are router-default.

$ oc get pods -n openshift-ingress
NAME                                       READY   STATUS    RESTARTS   AGE
router-default-77d568d5-mngtx              2/2     Running   0          116d
router-default-77d568d5-rr25w              2/2     Running   0          116d
router-dmz-prod-app-7748b6976d-5glwd       2/2     Running   0          116d
router-dmz-prod-app-7748b6976d-x6hns       2/2     Running   0          116d
router-internal-prod-app-ff4bcdcc6-6cm9t   2/2     Running   0          116d
router-internal-prod-app-ff4bcdcc6-954ps   2/2     Running   0          116d
router-internal-prod-app-ff4bcdcc6-pgprj   2/2     Running   0          116d

This script saves the output of the logs to timestamped files.

The Book of Knowledge

List The Roles Bound To A User Or Group

All Users

Use the following commands to list all clusterrolebindings or rolebindings, and the users and groups bound to them (for the rolebindings, it is needed to specify also the namespace or -A for all namespaces):

$ oc get clusterrolebindings.authorization
$ oc -n <project> get rolebindings.authorization

Note: it is required to include the .authorization to get the output with the users and groups.

• How can I create a service account for scripted access?
  • Create SA
  • View SA
  • View Access Tokens
  • Delete (Revoke) Access Tokens
  • Delete (Revoke) Service Account

How can I create a service account for scripted access?

To create a service account, with a session token which does not expire, for use with scripted access, use the oc create sa command, and pass the name to give the service account.

Create SA

$ oc create sa robot
serviceaccount "robot" created

View SA

To view details of the service account created, run oc describe on the service account resource.

The Book of Knowledge

• The Book of Knowledge
  • OpenShiftTricks.md
  • Miscellaneous OpenShift / Kubernetes Tricks
    • Login as Installer
    • Get memory, resource usage for a pod
    • Get an interactive shell in a pod
    • Get an interactive shell on a node
    • Get Various Info via CLI
      • Get Auth Token
      • Pod
      • Deployment
      • Statefullset
      • DeploymentConfig
      • BuidConfig
      • ImageStream
      • Listing Users
      • Listing Groups
      • Specific Action/resource Permissions For a Specific User
      • To List All Permissions For a Specific User
      • Same For A Groups (Example)
    • Role-Based Access Controls (RBAC)
      • Describe all Role-Based Access Controls
      • Get Clusterrolebindings (CRB) for user/serviceaccount prometheus-server
      • Clusterroles (CR) for user/serviceaccount prometheus-server
      • All Accounts with cluster-wide cluster-admin
      • Local Role Binding Operations
      • Cluster role binding operations
      • Converting json to yaml
    • Who’s using kafka?
    • Enable/Disable Cronjobs
    • Request a login token

OpenShiftTricks.md

Miscellaneous OpenShift / Kubernetes Tricks

Login as Installer

Login to the bastion host, then export KUBECONFIG=~/installation_directory/auth/kubeconfig. Test by running oc whoami, which should return system:admin.

The Book of Knowledge

title: “Oracle” date: 2023-07-12T16:11:05-04:00 draft: false TableOfContents: true weight: 150

Oracle Tips and Tricks

Checking CRS

You must run the commands as user oracle.

$ su - oracle              #    choose any DB
$ ps -fu oracle            #    Check for DBs
$ crsctl check crs         #    CRS daemons
$ crsctl check cluster
$ crsctl check css         #    cluster sync status
$ crsctl check evm         #    event manager

The Book of Knowledge

Strategies.md

Strategies for Solving Problems

Google It

Search for the error message on Google.

• Learn quality sources for answers (StackOverFlow, sort.veritas.com, redhat.com, etc).

GSN Closed Incidents

• Search for the error message or other indications in Global Service Now.
• Search for the host to see if the problem has occurred before, and what the solution was.

GSN KB

• GSN has a knowledge base. It’s not used extensively by the Linux/Unix teams, but might have something worthwhile.

OpsWiki

Teams Channel Wikis

• Americas OPS Linux / HP-UX
• Global OPS UNIX
• GLOBAL-OPS.LINUX Empty at the moment.

Howdoi

• howdoi Instant coding answers via the command line [//]: # ( vim: set ai et nu sts=2 sw=2 ts=2 tw=78 filetype=markdown :)

The Book of Knowledge

PyMark.md

Installing Markdown (python markdown module and tool)

Markdown translator, convertor to html

As root, use pip to install markdown. Root is needed since the command line interface is in /usr/local/bin.

sudo su -
pip3 install markdown

There may be a warning about /usr/local/bin not in PATH. Ignore it. [//]: # ( vim: set ai et nu sts=2 sw=2 ts=2 tw=78 filetype=markdown :)

The Book of Knowledge

• Production Egress Internal
  • Egress Routers Prod Internal
  • Egress IPs Prod Internal
• Production Egress DMZ
  • Egress Routers Prod DMZ
  • Egress IPs Prod DMZ
• Test Egress Internal
  • Egress Routers Test Internal
  • Egress IPs Test Internal
• Test Egress DMZ
  • Egress Routers Test DMZ
  • Egress IPs Test DMZ

Production Egress Internal

Subnet 7.244.168.128/25

Egress Routers Prod Internal

Egress IPs Prod Internal

Production Egress DMZ

Subnet 156.137.125.128/25

The Book of Knowledge

US Prod and Test v4 Openshift cluster

PRIMARY PROD

US DR v4 Openshift cluster

DR PROD