openshift

Deploy and manage applications on Red Hat OpenShift Container Platform.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "openshift" with this command: npx skills add bagelhole/devops-security-agent-skills/bagelhole-devops-security-agent-skills-openshift

OpenShift

Deploy and manage applications on Red Hat OpenShift Container Platform.

When to Use This Skill

Use this skill when:

  • Deploying applications to OpenShift clusters

  • Using OpenShift-specific features (Routes, BuildConfigs)

  • Managing projects and RBAC in OpenShift

  • Implementing S2I (Source-to-Image) builds

  • Working with OpenShift Operators

Prerequisites

  • OpenShift cluster access

  • oc CLI installed

  • Basic Kubernetes knowledge

CLI Basics

Authentication

Login to cluster

oc login https://api.cluster.example.com:6443 -u admin -p password

Login with token

oc login --token=sha256~xxxx --server=https://api.cluster.example.com:6443

Check current context

oc whoami oc whoami --show-server oc whoami --show-context

Logout

oc logout

Project Management

Create project (namespace)

oc new-project myapp --display-name="My App" --description="My Application"

Switch project

oc project myapp

List projects

oc projects

Delete project

oc delete project myapp

Deploying Applications

From Image

Deploy from container image

oc new-app --image=nginx:latest --name=webserver

Deploy from Docker Hub

oc new-app docker.io/library/nginx:latest

Deploy with environment variables

oc new-app myimage:latest
-e DATABASE_URL=postgres://localhost/db
-e APP_ENV=production

From Source (S2I)

Deploy from Git repository

oc new-app https://github.com/org/myapp.git

Specify builder image

oc new-app nodejs:18~https://github.com/org/nodejs-app.git

With context directory

oc new-app https://github.com/org/monorepo.git
--context-dir=backend
--name=backend-api

From Template

List available templates

oc get templates -n openshift

Deploy from template

oc new-app postgresql-persistent
-p POSTGRESQL_USER=user
-p POSTGRESQL_PASSWORD=secret
-p POSTGRESQL_DATABASE=mydb

Routes

Creating Routes

apiVersion: route.openshift.io/v1 kind: Route metadata: name: myapp spec: host: myapp.apps.cluster.example.com to: kind: Service name: myapp weight: 100 port: targetPort: 8080 tls: termination: edge insecureEdgeTerminationPolicy: Redirect

Create route via CLI

oc expose svc/myapp

Create with custom hostname

oc create route edge myapp
--service=myapp
--hostname=myapp.apps.cluster.example.com

Create passthrough route (TLS termination at pod)

oc create route passthrough myapp-secure --service=myapp

A/B Testing

apiVersion: route.openshift.io/v1 kind: Route metadata: name: myapp spec: to: kind: Service name: myapp-v1 weight: 90 alternateBackends: - kind: Service name: myapp-v2 weight: 10

Build Configurations

BuildConfig

apiVersion: build.openshift.io/v1 kind: BuildConfig metadata: name: myapp spec: source: type: Git git: uri: https://github.com/org/myapp.git ref: main strategy: type: Docker dockerStrategy: dockerfilePath: Dockerfile output: to: kind: ImageStreamTag name: myapp:latest triggers: - type: ConfigChange - type: GitHub github: secret: webhook-secret

S2I Build

apiVersion: build.openshift.io/v1 kind: BuildConfig metadata: name: myapp spec: source: type: Git git: uri: https://github.com/org/myapp.git strategy: type: Source sourceStrategy: from: kind: ImageStreamTag namespace: openshift name: nodejs:18-ubi8 env: - name: NPM_RUN value: start output: to: kind: ImageStreamTag name: myapp:latest

Build Commands

Start build

oc start-build myapp

Start build from local source

oc start-build myapp --from-dir=.

Follow build logs

oc start-build myapp --follow

View build logs

oc logs -f bc/myapp

Cancel build

oc cancel-build myapp-1

Image Streams

apiVersion: image.openshift.io/v1 kind: ImageStream metadata: name: myapp spec: lookupPolicy: local: true tags: - name: latest from: kind: DockerImage name: registry.example.com/myapp:latest importPolicy: scheduled: true

Create image stream

oc create imagestream myapp

Import image

oc import-image myapp:latest
--from=docker.io/library/nginx:latest
--confirm

Tag image

oc tag myapp:latest myapp:production

Deployment Configs

apiVersion: apps.openshift.io/v1 kind: DeploymentConfig metadata: name: myapp spec: replicas: 3 selector: app: myapp template: metadata: labels: app: myapp spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 8080 resources: requests: memory: "128Mi" cpu: "100m" limits: memory: "256Mi" cpu: "500m" triggers: - type: ConfigChange - type: ImageChange imageChangeParams: automatic: true containerNames: - myapp from: kind: ImageStreamTag name: myapp:latest strategy: type: Rolling rollingParams: maxSurge: 25% maxUnavailable: 25%

ConfigMaps and Secrets

Create ConfigMap

oc create configmap myapp-config
--from-literal=APP_ENV=production
--from-file=config.yaml

Create Secret

oc create secret generic myapp-secrets
--from-literal=password=secret123

Mount as volume

oc set volume dc/myapp
--add --name=config
--type=configmap
--configmap-name=myapp-config
--mount-path=/etc/config

Set as environment

oc set env dc/myapp --from=secret/myapp-secrets

Security Context Constraints

List SCCs

oc get scc

View SCC details

oc describe scc restricted

Grant SCC to service account

oc adm policy add-scc-to-user anyuid -z myapp-sa -n myproject

Create service account

oc create serviceaccount myapp-sa

Custom SCC

apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: name: myapp-scc allowPrivilegedContainer: false runAsUser: type: MustRunAsNonRoot seLinuxContext: type: MustRunAs fsGroup: type: RunAsAny volumes:

  • configMap
  • secret
  • persistentVolumeClaim users:
  • system:serviceaccount:myproject:myapp-sa

Operators

List available operators

oc get packagemanifests -n openshift-marketplace

Subscribe to operator

cat <<EOF | oc apply -f - apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: prometheus namespace: openshift-operators spec: channel: stable name: prometheus source: community-operators sourceNamespace: openshift-marketplace EOF

View installed operators

oc get csv -n openshift-operators

Monitoring

View pod logs

oc logs -f pod/myapp-1-xyz

View events

oc get events --sort-by='.lastTimestamp'

Resource usage

oc adm top pods oc adm top nodes

Debug pod

oc debug pod/myapp-1-xyz

Common Issues

Issue: Build Fails

Problem: S2I build cannot find dependencies Solution: Check builder image, verify source repository access

Issue: Pod Security Violation

Problem: Pod fails to start due to SCC Solution: Use appropriate SCC or modify container security context

Issue: Route Not Working

Problem: Cannot access application via route Solution: Verify service selector, check router pods, validate DNS

Issue: Image Pull Error

Problem: Cannot pull image from registry Solution: Create image pull secret, link to service account

oc create secret docker-registry regcred
--docker-server=registry.example.com
--docker-username=user
--docker-password=pass

oc secrets link default regcred --for=pull

Best Practices

  • Use Projects for isolation (not just namespaces)

  • Leverage ImageStreams for image management

  • Use BuildConfigs for CI/CD integration

  • Implement proper SCCs (avoid privileged)

  • Use Routes instead of Ingress

  • Leverage OpenShift templates for repeatability

  • Monitor with built-in Prometheus

  • Use Operators for complex applications

Related Skills

  • kubernetes-ops - K8s fundamentals

  • helm-charts - Helm deployments

  • container-registries - Image management

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

sops-encryption

No summary provided by upstream source.

Repository SourceNeeds Review
-31
bagelhole
Security

linux-administration

No summary provided by upstream source.

Repository SourceNeeds Review
-29
bagelhole
Security

linux-hardening

No summary provided by upstream source.

Repository SourceNeeds Review
-26
bagelhole