mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
109 lines
3.1 KiB
Plaintext
109 lines
3.1 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * installing/validation_and_troubleshooting/validating-an-installation.adoc
|
|
// * post_installation_configuration/cluster-tasks.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="cco-ccoctl-install-verifying_{context}"]
|
|
= Verifying that a cluster uses short-term credentials
|
|
|
|
You can verify that a cluster uses short-term security credentials for individual components by checking the Cloud Credential Operator (CCO) configuration and other values in the cluster.
|
|
|
|
.Prerequisites
|
|
|
|
* You deployed an {product-title} cluster using the Cloud Credential Operator utility (`ccoctl`) to implement short-term credentials.
|
|
|
|
* You installed the {oc-first}.
|
|
|
|
* You are logged in as a user with `cluster-admin` privileges.
|
|
|
|
.Procedure
|
|
|
|
* Verify that the CCO is configured to operate in manual mode by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get cloudcredentials cluster \
|
|
-o=jsonpath={.spec.credentialsMode}
|
|
----
|
|
+
|
|
The following output confirms that the CCO is operating in manual mode:
|
|
+
|
|
.Example output
|
|
[source,text]
|
|
----
|
|
Manual
|
|
----
|
|
|
|
* Verify that the cluster does not have `root` credentials by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get secrets \
|
|
-n kube-system <secret_name>
|
|
----
|
|
+
|
|
where `<secret_name>` is the name of the root secret for your cloud provider.
|
|
+
|
|
[cols=2,options=header]
|
|
|===
|
|
|Platform
|
|
|Secret name
|
|
|
|
|{aws-first}
|
|
|`aws-creds`
|
|
|
|
|{azure-first}
|
|
|`azure-credentials`
|
|
|
|
|{gcp-first}
|
|
|`gcp-credentials`
|
|
|
|
|===
|
|
+
|
|
An error confirms that the root secret is not present on the cluster.
|
|
+
|
|
.Example output for an {aws-short} cluster
|
|
[source,text]
|
|
----
|
|
Error from server (NotFound): secrets "aws-creds" not found
|
|
----
|
|
|
|
* Verify that the components are using short-term security credentials for individual components by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get authentication cluster \
|
|
-o jsonpath \
|
|
--template='{ .spec.serviceAccountIssuer }'
|
|
----
|
|
+
|
|
This command displays the value of the `.spec.serviceAccountIssuer` parameter in the cluster `Authentication` object.
|
|
An output of a URL that is associated with your cloud provider indicates that the cluster is using manual mode with short-term credentials that are created and managed from outside of the cluster.
|
|
|
|
* {azure-short} clusters: Verify that the components are assuming the {azure-short} client ID that is specified in the secret manifests by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get secrets \
|
|
-n openshift-image-registry installer-cloud-credentials \
|
|
-o jsonpath='{.data}'
|
|
----
|
|
+
|
|
An output that contains the `azure_client_id` and `azure_federated_token_file` felids confirms that the components are assuming the {azure-short} client ID.
|
|
|
|
* {azure-short} clusters: Verify that the pod identity webhook is running by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get pods \
|
|
-n openshift-cloud-credential-operator
|
|
----
|
|
+
|
|
.Example output
|
|
[source,text]
|
|
----
|
|
NAME READY STATUS RESTARTS AGE
|
|
cloud-credential-operator-59cf744f78-r8pbq 2/2 Running 2 71m
|
|
pod-identity-webhook-548f977b4c-859lz 1/1 Running 1 70m
|
|
---- |