Operate Applications on OpenShift: Routes, Operators, and SCCs
Introduction
OpenShift is a powerful container orchestration platform that enables developers and operations teams to deploy, manage, and scale applications in a cloud-native environment. As a robust Kubernetes distribution, OpenShift offers enhanced features like integrated CI/CD pipelines, developer and operational tools, and a user-friendly web console. For DevOps/SREs, understanding how to operate applications using OpenShift is critical for streamlining application lifecycle management and ensuring security and compliance.
In this tutorial, we will explore key components of OpenShift—Routes, Operators, and Security Context Constraints (SCCs). We will cover how to use the oc CLI to configure these components, manage the operator lifecycle, and enforce security policies through SCCs. By the end of this tutorial, you will be equipped with practical knowledge to effectively operate applications on OpenShift, ensuring high availability and security.
Prerequisites
Before diving into the tutorial, ensure you have the following prerequisites:
- OpenShift Cluster: Access to an OpenShift cluster (either on-premises or a cloud provider like AWS, Azure).
- oc CLI: The OpenShift command-line interface installed. You can download it here.
- Permissions: Sufficient permissions to create and manage routes, operators, and SCCs in your OpenShift project.
- Container Image: A sample container image to deploy (e.g., a simple web application).
Core Concepts
Routes
Routes in OpenShift allow external traffic to access services running within the cluster. They provide a way to expose applications externally, enabling users to interact with them over HTTP/HTTPS.
Operators
Operators are a method of packaging, deploying, and managing a Kubernetes application. They use the Operator pattern to automate the management of complex applications and services. The Operator Lifecycle Manager (OLM) is used to install and manage operators in OpenShift.
Security Context Constraints (SCCs)
Security Context Constraints are a powerful feature in OpenShift that defines the actions that a pod can perform and what resources it can access. SCCs enhance security by restricting the permissions of pods, ensuring that applications run in a secure environment.
Build Configs
Build Configurations define how your applications are built within OpenShift, specifying source code locations, build strategies, and triggers for builds.
Syntax/Configuration
Below are the basic syntax and configurations for the tools and concepts discussed:
Routes
To create a route, use the following command:
oc expose svc <service-name> --name=<route-name> --hostname=<hostname> --port=<port>
Parameters:
| Parameter | Description |
|---|---|
<service-name> |
Name of the service to expose |
<route-name> |
Name for the route |
<hostname> |
Optional hostname for the route |
<port> |
Port number to route traffic to |
Operators
To manage operators, you can use the following commands:
oc apply -f <operator-manifest.yaml>
Parameters:
| Parameter | Description |
|---|---|
<operator-manifest.yaml> |
Path to the operator's YAML manifest file |
Security Context Constraints (SCCs)
To create an SCC, use:
oc create scc <scc-name> --allow-privileged=<true|false> --run-as-user=<user-id>
Parameters:
| Parameter | Description |
|---|---|
<scc-name> |
Name for the Security Context Constraint |
| `<true | false>` |
<user-id> |
User ID to run pods as |
Build Configs
To create a build config, use:
oc create bc <build-config-name> --image=<image-name> --source=<source-url>
Parameters:
| Parameter | Description |
|---|---|
<build-config-name> |
Name for the build configuration |
<image-name> |
Name of the container image |
<source-url> |
URL of the source code repository |
Practical Examples
Example 1: Create a Route
oc expose svc my-web-app --name=my-web-route --hostname=myapp.example.com --port=8080
This command exposes the service my-web-app as a route accessible at myapp.example.com.
Example 2: List Routes
oc get routes
Lists all routes in the current namespace.
Example 3: Deploy an Operator
oc apply -f my-operator.yaml
This command deploys the operator defined in the manifest my-operator.yaml.
Example 4: Create an SCC
oc create scc my-scc --allow-privileged=false --run-as-user=1001
This command creates a new SCC named my-scc that restricts privileged mode and runs pods as user ID 1001.
Example 5: Apply an SCC to a Service Account
oc adm policy add-scc-to-user my-scc -z my-service-account
This command associates the my-scc SCC with the specified service account.
Example 6: Create a Build Config
oc create bc my-app-bc --image=my-image:latest --source=https://github.com/my-repo.git
This command creates a build configuration for an application using the specified image and source repository.
Example 7: Trigger a Build
oc start-build my-app-bc
Triggers a build for the specified build configuration.
Example 8: Monitor Build Status
oc get builds
Retrieves the status of all builds in the current project.
Real-World Scenarios
Scenario 1: Web Application Deployment
- Create a Docker image for a web application and push it to a container registry.
- Create a deployment configuration in OpenShift.
- Expose the application using a route.
- Verify the application is accessible via a web browser.
Scenario 2: Automated CI/CD Pipeline
- Set up a build config that pulls code from a Git repository.
- Create a webhook in GitHub to trigger builds on code pushes.
- Deploy the application using deployment configurations and monitor builds for errors.
Scenario 3: Multi-Tenancy with SCCs
- Create multiple SCCs for different teams with varying levels of permissions.
- Assign SCCs to service accounts based on team requirements.
- Ensure security policies are enforced while allowing teams to operate independently.
Best Practices
- Use Namespaces: Organize resources into namespaces to isolate environments (dev, test, prod).
- Limit SCCs: Apply the principle of least privilege when configuring SCCs to enhance security.
- Automate Builds: Use webhooks and triggers in build configs to automate CI/CD processes.
- Monitor Resource Usage: Regularly check resource usage to optimize application performance and costs.
- Version Control YAML Files: Keep operator and SCC manifest files in version control systems for traceability.
Common Errors
Error 1: Route Not Found
Error from server (NotFound): routes.route.openshift.io "my-web-route" not found
Cause: The specified route does not exist.
Fix: Check the route name and ensure it was created successfully.
Error 2: Insufficient Permissions
Error from server (Forbidden): unable to create resource "routes" in API group "route.openshift.io" in the namespace "my-namespace"
Cause: Lack of permissions to create the resource.
Fix: Ensure you have the necessary permissions or contact an administrator.
Error 3: Invalid SCC Configuration
Error from server (Invalid): securitycontextconstraints.security.openshift.io "my-scc" is invalid: allowPrivileged: Invalid value: true: must be false
Cause: Configuration violates security policies.
Fix: Review and correct the SCC configuration.
Error 4: Build Failed
Error: build failed: build my-app-bc-1 failed
Cause: Build process encountered an error (e.g., missing dependencies).
Fix: Check build logs for detailed error messages and address the underlying issues.
Related Services/Tools
| Feature | OpenShift | Kubernetes | AWS ECS | Azure AKS |
|---|---|---|---|---|
| Built-in CI/CD | ✅ | ❌ | ❌ | ❌ |
| Integrated Routes | ✅ | ❌ | ✅ | ✅ |
| Operator Lifecycle Manager | ✅ | ❌ | ❌ | ❌ |
| SCCs | ✅ | ❌ | ❌ | ❌ |
Automation Script
Here’s a sample Bash script to automate the creation of a route, SCC, and build config:
#!/bin/bash
# Variables
SERVICE_NAME="my-web-app"
ROUTE_NAME="my-web-route"
IMAGE_NAME="my-image:latest"
SOURCE_URL="https://github.com/my-repo.git"
SCC_NAME="my-scc"
# Create a route
oc expose svc $SERVICE_NAME --name=$ROUTE_NAME --hostname="${ROUTE_NAME}.example.com" --port=8080
echo "Route $ROUTE_NAME created."
# Create an SCC
oc create scc $SCC_NAME --allow-privileged=false --run-as-user=1001
echo "SCC $SCC_NAME created."
# Create a build config
oc create bc my-app-bc --image=$IMAGE_NAME --source=$SOURCE_URL
echo "Build config my-app-bc created."
# Trigger a build
oc start-build my-app-bc
echo "Build triggered for my-app-bc."
Conclusion
In this tutorial, we explored how to operate applications on OpenShift, focusing on Routes, Operators, and Security Context Constraints (SCCs). We provided practical examples and real-world scenarios that highlight the significance of these components in a DevOps context. By implementing the best practices discussed, you can enhance the security and reliability of your applications on OpenShift.
Next Steps
- Explore the OpenShift Documentation for more detailed guides.
- Experiment with deploying different applications and using advanced features like custom operators.
- Join the OpenShift community to stay updated on best practices and new features.