OpenShift

Perintah OpenShift yang sering dipakai untuk operasi harian: login cluster, project, workload, routes, logs, debug, build, registry, rollout, RBAC, dan troubleshooting.

00

Login dan Project

Mulai dari autentikasi cluster, memilih namespace/project, dan melihat konteks aktif.

Login dan cek user

oc
oc login https://api.cluster.example.com:6443
oc login --token=<token> --server=https://api.cluster.example.com:6443
oc whoami
oc whoami --show-server
oc whoami --show-token

Project dan context

oc
oc projects                         # daftar project yang bisa diakses
oc project my-project                # pindah project aktif
oc new-project my-project            # buat project baru
oc status                            # ringkasan resource project aktif
oc config current-context
oc config get-contexts
01

Inspect Resource

Melihat object Kubernetes/OpenShift dan output yang mudah diproses.

Get dan describe

oc
oc get all
oc get pods -o wide
oc get deploy,dc,sts,svc,route
oc describe pod/<pod>
oc describe deployment/<name>
oc get events --sort-by=.lastTimestamp

Output YAML, JSON, dan jsonpath

oc
oc get deploy myapp -o yaml
oc get pod mypod -o json | jq '.status.containerStatuses'
oc get route myapp -o jsonpath='{.spec.host}'
oc explain deployment.spec.template.spec.containers
02

Workload Harian

Membuat aplikasi, scale, restart, edit, dan hapus resource.

Membuat app cepat

oc
oc new-app nginx:latest --name web
oc new-app nodejs:20-ubi8~https://github.com/example/app.git --name api
oc expose svc/web                  # buat route dari service
oc get route web

Scale, edit, delete

oc
oc scale deployment/myapp --replicas=3
oc rollout restart deployment/myapp
oc edit deployment/myapp
oc delete pod/<pod>                # controller akan membuat pod pengganti
oc delete all -l app=myapp
03

Logs, Exec, dan Debug

Masuk ke pod, mengikuti log, dan membuat debug pod/node untuk investigasi.

Logs

oc
oc logs pod/<pod>
oc logs -f deployment/myapp
oc logs pod/<pod> -c <container>
oc logs pod/<pod> --previous        # log container sebelumnya setelah crash
oc logs --tail=100 -f deployment/myapp

Exec dan rsh

oc
oc exec -it pod/<pod> -- /bin/sh
oc exec pod/<pod> -- env
oc rsh pod/<pod>                   # shortcut shell OpenShift

Debug pod dan node

oc
oc debug deployment/myapp
oc debug pod/<pod>
oc debug node/<node-name>

# di debug node:
chroot /host
crictl ps
journalctl -u kubelet -n 100
04

Service, Route, dan Network

Expose aplikasi, melihat host route, TLS, dan konektivitas antar pod.

Service dan route

oc
oc expose deployment/myapp --port=8080
oc expose svc/myapp
oc get svc,route
oc describe route/myapp
oc delete route/myapp

Route TLS

oc
oc create route edge myapp --service=myapp --port=8080
oc create route passthrough myapp --service=myapp
oc create route reencrypt myapp --service=myapp --dest-ca-cert=ca.crt
oc patch route/myapp -p '{"spec":{"tls":{"insecureEdgeTerminationPolicy":"Redirect"}}}'

Tes konektivitas dari pod sementara

oc
oc run netshoot --rm -it --image=nicolaka/netshoot -- /bin/bash
curl -v http://myapp:8080/health
dig myapp.my-project.svc.cluster.local
nc -vz myapp 8080
05

ConfigMap dan Secret

Menyimpan konfigurasi dan secret, lalu inject ke workload.

Membuat ConfigMap dan Secret

oc
oc create configmap app-config --from-literal=LOG_LEVEL=info
oc create configmap app-config --from-file=application.yaml

oc create secret generic app-secret --from-literal=DB_PASSWORD='secret'
oc create secret generic tls-secret --from-file=tls.crt --from-file=tls.key

Inject ke deployment

oc
oc set env deployment/myapp --from=configmap/app-config
oc set env deployment/myapp --from=secret/app-secret
oc set volume deployment/myapp --add --type=configmap --configmap-name=app-config --mount-path=/etc/app
oc rollout restart deployment/myapp
06

Build, ImageStream, dan Registry

Workflow Source-to-Image, Binary Build, ImageStream, dan registry internal.

BuildConfig dan start build

oc
oc new-build nodejs:20-ubi8~https://github.com/example/app.git --name=myapp
oc start-build myapp
oc start-build myapp --follow
oc logs -f bc/myapp
oc get build,bc,is

Binary build dari folder lokal

oc
oc new-build --binary --name=myapp -l app=myapp
oc start-build myapp --from-dir=. --follow
oc new-app myapp:latest
oc expose svc/myapp

Registry internal dan image import

oc
oc registry info
oc get imagestream
oc import-image nginx:latest --from=docker.io/library/nginx:latest --confirm
oc tag myapp:latest myapp:stable
oc set image deployment/myapp myapp=image-registry.openshift-image-registry.svc:5000/project/myapp:stable
07

Rollout dan Deployment

Memantau rollout, rollback, dan mengubah image atau env.

Status rollout

oc
oc rollout status deployment/myapp
oc rollout history deployment/myapp
oc rollout undo deployment/myapp
oc rollout restart deployment/myapp

Update image dan env

oc
oc set image deployment/myapp myapp=quay.io/example/myapp:v2
oc set env deployment/myapp FEATURE_FLAG=true
oc set resources deployment/myapp --limits=cpu=500m,memory=512Mi --requests=cpu=100m,memory=128Mi
oc rollout status deployment/myapp
08

RBAC dan ServiceAccount

Melihat izin, memberi role, dan menggunakan service account.

Cek izin

oc
oc auth can-i get pods
oc auth can-i create deployments -n my-project
oc auth can-i --list
oc policy who-can get secrets

Role dan service account

oc
oc create serviceaccount deployer
oc adm policy add-role-to-user edit alice -n my-project
oc adm policy add-role-to-user view system:serviceaccount:my-project:deployer
oc set serviceaccount deployment/myapp deployer
09

Troubleshooting Cepat

Checklist command saat pod tidak start, image gagal pull, route tidak bisa diakses, atau resource kurang.

Pod pending/crashloop

oc
oc get pod <pod> -o wide
oc describe pod/<pod>
oc logs pod/<pod> --all-containers
oc logs pod/<pod> --previous
oc get events --sort-by=.lastTimestamp | tail -30

Image pull dan registry

oc
oc describe pod/<pod> | grep -A5 -i image
oc get secret
oc create secret docker-registry regcred \
  --docker-server=registry.example.com \
  --docker-username=<user> \
  --docker-password=<password>
oc secrets link default regcred --for=pull

Resource quota dan limit

oc
oc describe quota
oc describe limitrange
oc adm top pods
oc adm top nodes
oc get pod <pod> -o jsonpath='{.spec.containers[*].resources}'