OpenShift Cheatsheet

From Linuxwiki
Jump to navigation Jump to search

Here some helpful OpenShift commands which work (at least) since version >= 4.11


Login

How to get a token: https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization. 

$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API: 

$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

Login with username/password: 

$ oc login -u admin -p password https://api.ocp.example.com:6443

Get console URL: 

$ oc whoami --show-console

Creating

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman: 

$podman search <wordpress>

Create new app

with label and parameters

from template 

$ oc new-app -l team=red --template=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image 

$ oc new-app -l team=blue --image registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

Create Deployment from image

$ oc create deployment demo-pod --port 3306  --image registry.ocp.example.de:8443/rhel9/mysql-80

Create Job from image

$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob: 

$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job: 

$ oc logs job/<name>

Create Secret from String

$ oc create secret generic test --from-literal=foo=bar

Running

General cluster info: 

$ oc cluster-info

Which resources are there? 

$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)
                 (in|without namespace)(openshift specific)

Explain resources: 

$ oc explain service

Switch namespace: 

$ oc project <namespace>

quit namespace: 

$ oc project -n default

Get all resources: 

$ oc get all

(Attention: imagestreams, secrets, services, and pvcs will be shown outside resources) 

$ oc get secret,svc,pvc,dc

List resources in context of another user/serviceaccount: 

$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

Get status of all nodes: 

$ oc get nodes

Get all pods on a specific node: 

$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql: 

$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe: 

 $ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Show Uptime: 

$ oc get machines -A

Sort Events by time: 

$ oc get events --sort-by=lastTimestamp

Show egress IPs: 

$ oc get hostsubnets

Show/edit initial configuration: 

$ oc get cm cluster-config-v1 -o yaml -n kube-system
  (edit)

Compare allocatable resources vs limits: 

$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Connect to pod and open a shell: 

$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod: 

$ oc cp mysqldump.sql mysql-server:/tmp

List alerts: 

$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources:

$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

Create service from deployment: 

$ oc expose deployment/helloworld

Set environment variables on running deployment: 

$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

Patch resource: 

$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge  --patch '{"spec":{"approved":true}}'

Restart deployment after change:
the deployment resource has no rollout option -> You must patch something before it restarts e.g.: 

$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"

Get state paused/not paused of machineconfigpool: 

$ oc get mcp worker -o jsonpath='{.spec.paused}'

Set master/worker to (un)paused: 

$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

Scale number of machines/nodes up/down: 

$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

Empty node and put it into maintenance mode (e.g. before booting) 

$ oc adm cordon <node1>
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot: 

$ oc adm uncordon <node1>

Logging

Watch logs of a certain pod (or container) 

$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked): 

$ oc debug pod/<podname>

Liveness/Readiness Probes of all pods in certain timestamp: 

$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging: 

$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs: 

$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node: 

$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string: 

$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'

Source:
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

Information gathering

https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

Must-gather

$ oc adm must-gather

-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect (evtl. delete secrets!)

Inspect

Get information resource-wise and for a certain period: 

$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

App URLs

Kibana

https://kibana-openshift-logging.apps.ocp.example.com/

ArgoCD

https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

Useful terms

IPI Installer-provisioned infrastructure cluster
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

UPI User provisioned infrastructure cluster

  • DNS and Loadbalancing must already be there
  • Installation manually, download ova file (in case of vSphere)
  • master created manually
  • workers recommended
  • *no* keepalived

Advantages:
IPI: installation more simple, using preconfigured features
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing: 

$ oc api-resources
cm config map
csv cluster service version
dc deploymentconfig
ds deploymentsetting
ip installplan
mcp machineconfigpool
pv persistent volume
sa service account
scc security context constraints
svc service
Retrieved from "https://wiki.nomorebluescreen.de/index.php?title=OpenShift_Cheatsheet&oldid=521"