Need admin user with cluster-admin role #696
Comments
|
With minishift 1.0.0.rc.1 which has addons and sudo for developer, it's easy to do it yourself. There is already an issue to create an admin user by default, although this mechanism is not secure at all, neither current login. Just do: This creates gives cluster-role to a user named admin. Since minishift uses anypasswd to authenticate, just login with a user named admin (with any password) |
|
Here is the steps for addons in Minishift 1.0.0.rc.1. It will be available in the next version of CDK 3.0 |
|
@burrsutter or you can just run this after The addons is the suggested solution from Minishift, please give it a try and let us know if this works for you. |
|
@burrsutter, you will never be able to login as system:admin. system:admin is a special account which only allows login via certificates (which as it happens to be Minishift copies into your ~/.kube/config). That's the reasons why you can use the system:admin account from the console using oc. If you grep ~/.kube/config for system.admin and the IP of the current Minishfit VM, you most likely find the entry which makes the login possible and you will also see that it is certificate based. So the question is what you really want. You want to log into the console and see the default namespace? Is this what you are after? Then just give the 'developer' user the cluster-admin role as described above. Either via running the oc adm command directly or if you want to have this as a permanent thing, via enabling the cluster_admin addon. Once enabled, the developer user will get the cluster_admin role each time you create a Minishift instance. |
|
@hferentschik @LalatenduMohanty I would argue that making developer a cluster-admin is a good practice, hence I supported @jstrachan request to have a dedicated user being cluster admin (which we valuated as a possible addon). I'm not in favor of the cluster-admin addon, as we already have developer being a sudoer. Just think that like in linux, you'd want to have separate accounts for the user, for root, and possibly have the user being able to sudo, but you'll definitely not make the user root by default. |
|
@jorgemoralespou yes and no. I agree with you that we should not make developer cluster-admin by default. However if an user want, he can anyway make developer cluster-admin (same happens in Linux too i.e. user has the freedom). So addons just provides a minishift way of doing it and the addon is not enabled by default which is inline to what you said. |
|
@LalatenduMohanty now that I think of it more, I agree. Although there needs to be a user admin (as cluster-admin) addon, which probably will be more useful. Or even there by default, as I do in oc-cluster as you'll always want to have those 2 users to log in from the console. |
+1 That makes sense. @burrsutter, this might not have been clear for you yet, but there is a important difference in what @LalatenduMohanty suggested and what @jorgemoralespou wrote. The current cluster-admin plugin gives the 'developer' user the cluster-admin role. So now when you log in as 'developer' on the console, you will see two namespaces/projects - default and myproject. @jorgemoralespou does something different: It assigns the cluster-admin role to the admin user. What Minishift (and cluster up) provide is an un-authenticated OpenShift instance. You can log in as any user you wish with any password you wish. It just happens to be that for the 'developer' user has also a default project created (and that the kube config files has some context settings for the developer). So you can just login in as admin/admin if this is what you want. Per default you just won't have any project. With the command from above you will see the default namespace, since the 'admin' user gets the cluster-admin role. You can easily either write a new addon to do this for you or modify the default one to assign the cluster-role to 'admin' instead of 'developer'. What @jorgemoralespou is suggesting is to have another addon (or change the behaviour of the existing one) to do this per default. |
|
@hferentschik Just a correction. If you make developer a cluster-admin, this is what you see.
And if you install logging, there is an additional namespace. In my opinion, all these namespaces confuses a regular developer, so I would never make a regular dev cluster-admin, but rather ask him to log in as an admin. ;-) I love how you give all these details. @burrsutter should already know most of this. If not, he can attend one of the EVG trainings ;-) (Just kidding, Burr. Or not?) |
@jorgemoralespou @hferentschik +1 I think this is better, a different user for cluster-admin. |
hferentschik
changed the title
|
Fix with #741 |
|
I have run: But when I run the I am using minishift 1.7.0 |
|
@lordofthejars have you tried ? It looks like they changed the name from |
|
The problem in my case was that I used an old oc tool, not fully compatible
with latest openshift
El 8 dic. 2017 4:58 p. m., "Matt Fenwick" <notifications@github.com>
escribió:
@lordofthejars <https://github.com/lordofthejars> have you tried
$ minishift addons install --defaults
$ minishift addons enable admin-user
$ minishift start
? It looks like they changed the name from cluster-admin to admin-user
(based on the linked PR #741
<#741> )
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#696 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABcmYRPLV-Vj9XEpii4WJs0eTgrCPd6bks5s-VyWgaJpZM4M1yBa>
.
|
|
For active clusteradmin we must install addon: Restart minishift Login in minishift as: Give clusteradmin rights for user admin Make logout and login minishift as admin and run command: If you see table of users in minishift, that is done. |
Need to login into the web UI/console
https://screencast.com/t/YxEIldeXNa
The text was updated successfully, but these errors were encountered: