Re: openshift origin all in one

In the release after 3.11, the all-in-one will no longer be available and because it isn't considered a production installation, we have no plans to provide a clean migration from an all-in-one configuration. On Sun, Sep 30, 2018 at 3:56 PM Aleksandar Kostadinov wrote: > Here my personal

Re: Registry Permissions

ed? > > I have created a new service account that is dedicated to pushing the > images, this has been given the cluster permission of registry-admin. The > goal is to now have the images available to be pulled in to any project. > > Thanks again, > Dave > > On Wed, Aug 2

Re: Registry Permissions

They are groups. "system:authenticated" and "system:unauthenticated" and you probably want to assign both. On Wed, Aug 22, 2018 at 9:39 AM Ben Parees wrote: > > > On Wed, Aug 22, 2018 at 6:51 AM, David Conde wrote: > >> Is it possible to add global pull permissions to a project in the >>

Re: Modify webconsole configmap

to be updated to reflect this change. > > Another question, when adding new templates and making them availble > through the webconsole, is it prefereable to have them through the service > catalog via TSB or through an additional extensions script in the > webconsole config? >

Re: Modify webconsole configmap

Feature! :) Because it is operator managed, you need to edit the config leading to the operator. Try `oc edit openshiftwebconsoleconfigs.webconsole.operator.openshift.io` and update the spec.config to what you need. On Sat, Aug 11, 2018 at 3:54 AM Ahmed Ossama wrote: > Hi Everyone, > > I am

Re: Possible to run Mutating Webhook BEFORE built in openshift mutators?

No. Webhooks come after the normal admission chain because a webhook can reasonably be aware of the built in admission chain, but the reverse is not true. On Sat, Aug 4, 2018 at 8:39 PM Marc Boorshtein wrote: > I'm trying to create a webhook that will change the security context the >

Re: Deleteing from WebUI is not working - 3.7.2

Check your controller logs to see if the garbage collector is getting rejected while trying to cleanup the associated resources. You may have to increase the logging level. On Wed, May 2, 2018 at 8:27 AM, Jessica Forrester wrote: > Yeah this typically means the garbage

Re: Updating the clusterquota object

All the basic CRUD commands work, so you can run `oc edit clusterquota/name`, `oc patch clusterquota/name `, or `oc update -f `. On Tue, Nov 8, 2016 at 11:06 AM, Ben Pritchett wrote: > Is there a method for updating clusterquotas that have already been > created?

Re: quota increase

Try `oc edit quota/foo`. Similar command for `limitranges`. You can also write `oc patch` commands, but they tend to be more difficult. On Tue, Oct 25, 2016 at 3:03 PM, Srinivas Naga Kotaru (skotaru) < skot...@cisco.com> wrote: > Hi > > > > Can cluster-admin increase quota and limits on

Re: HELP - Image pull back off

Adding Scott. On Sun, Oct 23, 2016 at 9:00 AM, Philippe Lafoucrière < philippe.lafoucri...@tech-angels.com> wrote: > Looks like the problem comes from https://github.com/ > openshift/openshift-ansible/pull/2411/files > Where the registry is considered as secure, but it still listen using http >

Re: cluster-roles

ion I can refer to create roles and add necessary > permissions as we want? Am not sure how easy or difficult to create a > custom role and add this role to robot. > > Keeping ‘admin’ role as a back up strategy? > > -- > *Srinivas Kotaru* > > From: David Eads <de...@redha

Re: cluster-roles

er? So he has cluster wide limited admin access to perform above jobs. > One immediate solution is to add cluster ‘admin’ but as you said we are > little hesitated rather want to give exact roles roles required for his job. > > Your help is highly appreciated … > > -- > *Srinivas K

Re: cluster-roles

I don't think I've have my robot use the `projectrequests` endpoint. Instead, I'd grant my robot the power to 1. Create projects 2. Update namespaces 3. Create resourcequotas, limitranges 4. Bind robot to "admin" Binding the robot to "admin" seems a little bit odd, but the rules for

Re: Binding service account to project-local roles

`oc create policybinding TARGET_POLICY_NAMESPACE` should help create a policybinding the correct shape. # Create a policy binding in namespace "foo" that references the policy in namespace "bar" oc create policybinding bar -n foo On Wed, Jul 6, 2016 at 9:12 PM, Jordan Liggitt

Re: How to list all roles a user has?

et some attributes about username and a list of > groups, but no roles. The rolebinding endpoints all look to only list > members of the binding but not the other way. is what I'm looking for > exist? > > Thanks > > On Wed, Jun 15, 2016 at 1:56 PM, David Eads <de...@red

Re: How to list all roles a user has?

As a project admin, `oc get rolebindings` will show you all the rolebindings in a given namespace. As a cluster-admin, `oc get clusterrolebindings` will show you all the clusterrolebindings which have power across all namespaces. On Wed, Jun 15, 2016 at 1:47 PM, Marc Boorshtein

Re: policy for openshift user who can only push to openshift registry.

We created `system:image-pusher` back in 1.1.1 with https://github.com/openshift/origin/pull/5962. Check to make sure that your policy is up to date: `oadm policy reconcile-cluster-roles`. By default that makes no changes. If you approve

Re: policy for openshift user who can only push to openshift registry.

You should be modifying `Roles` and `RoleBindings`, not the `Policies` directly. Those exist for auditing capabilities. On Fri, Mar 18, 2016 at 9:08 AM, Lorenz Vanthillo < lorenz.vanthi...@outlook.com> wrote: > Thanks, we have the policy. We were searching in the documentation for it > because

Re: Warning "attempting to mount a secret disallowed by sa/default"

That's a server setting that can be enabled or disabled. We used to default to it being strict, so that message saved a lot of pd activity. We changed the default, so we should update `oc status`. I'll take a look. On Tue, Jan 19, 2016 at 4:09 PM, Philippe Lafoucrière <

Re: User \"system:anonymous\" cannot \"proxy\" \"services\" with name \"fabric8-forge\"

Could you include the output of that curl? If you provide an expired or invalid token, you'll get a "401 unauthorized", not a 403 forbidden that indicates "system:anonymous" cannot "proxy". In order to get the 403, you (or the product calling on your behalf), must be making the request without