Red Hat OpenShift 4.x: Adding a new user with admin rights

Getting Started

Once the initial baremetal OpenShift 4.6 IPI install is complete, you will see output similar to what is shown below.

This output contains the URL for the OpenShift WebUI along with the “kubeadmin” password. You will be able to log into the WebUI using these credentials.

If you forget your kubeadmin login (which you will,. because it’s ugly) you will be able to find in the auth directory.

{ocptest}[kni@bastion ~]$ cat clusterconfigs/auth/kubeadmin-password 

Upon initial login to the WebUI you will see a blue bar at the near the top of the page – as shown below.

Adding a New User with Admin Rights

Bottom line, the Openshift “kubeadmin” password is not user friendly. In my lab I do not want to have to look it up each time I attempt to access the webui. I need simple and easy to remember credentials.

So I am going to create a new admin user. In the example below I am creating a user named ‘admin‘ with the password of ‘admin‘.

I am working in a homelab, so security is not exactly a priority.

{ocp}[kni@bastion ~]$ htpasswd -c -B -b users.htpasswd admin admin
Adding password for user admin

Now I define a secret which uses the HTPasswd user file as shown below.

{ocp}[kni@bastion ~]$ oc create secret generic htpass-secret --from-file=htpasswd=/home/kni/users.htpasswd -n openshift-config
secret/htpass-secret created

Next, I create a custom resource ( that defines the use of the HTPasswd identity provider. This file is straight out of the user doc and is unmodified.

kind: OAuth
  name: cluster
  - name: my_htpasswd_provider 
    mappingMethod: claim 
    type: HTPasswd
        name: htpass-secret 

Now we apply the Custom Resource (CR) via oc apply.

{ocp}[kni@bastion ~]$ oc apply -f /home/kni/ configured

Now let’s test your new id and password on the CLI. If the step below fails, you will need to start all over again.

{ocp}[kni@bastion ~]$ oc login -u admin
Authentication required for https://api.ocp.lab.localdomain:6443 (openshift)
Username: admin
Login successful.

You have access to 59 projects, the list has been suppressed. You can list all projects with ' projects'

Using project "default".

Confirm URL for WebUI.

{ocp}[kni@bastion ~]$ oc whoami --show-console

Navigate to the URL above and select my_htpasswd_provider. Enter your new credentials. At this point you should be able to login without issue. If not, please work through the process again.


If you do run into errors, the files that you created and run the command below to delete the secret.

oc delete secret htpass-secret -n openshift-config

At this point you should be able to repeat the procedure and check for errors.


Openshift 4 CLI Common Command Guide: Part 1

Show OpenShift Version

[kni@bastion ~]$ oc get clusterversion
version   4.6.4     True        False         6d2h    Cluster version is 4.6.4

Accessing the Web Console

Once your deployment is complete, you can use the following command to determine the web console url

[kni@bastion ~]$ oc whoami --show-console

By default, your username for the console is kubeadmin, use the command below to obtain your password. Note, your cluster directory may not be clusterconfigs however this is the default

[kni@bastion ~]$ cat clusterconfigs/auth/kubeadmin-password 

Working with Nodes

Show nodes.

[kni@bastion ~]$ oc get nodes
NAME       STATUS   ROLES           AGE    VERSION
master-0   Ready    master,worker   6d3h   v1.19.0+9f84db3
master-1   Ready    master,worker   6d3h   v1.19.0+9f84db3
master-2   Ready    master,worker   6d3h   v1.19.0+9f84db3

Show baremetal hardware nodes.

Oops I have errors..

[kni@bastion ~]$ oc get bmh -n openshift-machine-api
master-0   OK       externally provisioned   ocp-d9z87-master-0   ipmi://                      true     
master-1   OK       externally provisioned   ocp-d9z87-master-1   ipmi://                      true     
master-2   OK       externally provisioned   ocp-d9z87-master-2   ipmi://                      true     
worker-0   error    registration error                            ipmi://                       true     Failed to get power state for node c8105b63-3697-419c-9cab-fdfa9985411a. Error: IPMI call failed: power status.
worker-1   error    inspecting                                    ipmi://                      true     Introspection timeout

Delete a baremetal node.

[kni@bastion ~]$ oc delete bmh worker-0 -n openshift-machine-api "worker-0" deleted

Working with Projects

Show Current Project

[kni@bastion ~]$ oc project
Using project "openshift-machine-api" on server "https://api.ocp.lab.localdomain:6443".

Create a New Project

[kni@bastion ~]$ oc new-project testproject
Now using project "testproject" on server "https://api.ocp.lab.localdomain:6443".

Change Current Project

If the project does not already exist, you will get an error

[kni@bastion ~]$ oc project testproject
Now using project "testproject" on server "https://api.ocp.lab.localdomain:6443".

Show Status of Current Project

[kni@bastion ~]$ oc status
In project testproject on server https://api.ocp.lab.localdomain:6443

You have no services, deployment configs, or build configs.
Run 'oc new-app' to create an application.

Delete a Project

[kni@bastion ~]$ oc delete project testproject "testproject" deleted

List all Projects

[kni@bastion ~]$ oc get projects
NAME                                               DISPLAY NAME   STATUS
default                                                           Active
kube-node-lease                                                   Active
kube-public                                                       Active
kube-system                                                       Active
openshift                                                         Active
openshift-apiserver                                               Active
openshift-apiserver-operator                                      Active

Working with Pods

Show all Pods in a Particular Namespace

oc get pods will shows you the pods in your current namespace. Use -n to specify a pod by name. Use -A to specify all pods.

[kni@bastion ~]$ oc get pod -n openshift-dns
NAME                READY   STATUS    RESTARTS   AGE
dns-default-64gcs   3/3     Running   0          4d1h
dns-default-dttgz   3/3     Running   0          4d1h
dns-default-jwmdx   3/3     Running   0          4d1h

Wide listing of Pods in a Particular Namespace

-o wide allows you to see the pod IP address and the node where it is running.

[kni@bastion ~]$ oc get pods -n openshift-console -o wide
NAME                         READY   STATUS    RESTARTS   AGE    IP            NODE       NOMINATED NODE   READINESS GATES
console-65c4b9c45b-gts2h     1/1     Running   0          4d   master-1   <none>           <none>
console-65c4b9c45b-jqrhp     1/1     Running   0          4d   master-0   <none>           <none>
downloads-65c97dd5b9-mwpfd   1/1     Running   0          4d1h   master-1   <none>           <none>
downloads-65c97dd5b9-np5hh   1/1     Running   0          4d1h   master-2   <none>           <none>

Show Pod Resource Usage

The command below will allow you to see number of Cores and Memory used per pod. Measured in millicores (# of host cores * 1000) and bytes.

[kni@bastion ~]$ oc adm top pods -A
NAMESPACE                                          NAME                                                      CPU(cores)   MEMORY(bytes)   
openshift-apiserver                                apiserver-c95cd4bfd-92h9s                                 20m          207Mi           
openshift-apiserver                                apiserver-c95cd4bfd-kfkd7                                 22m          243Mi           
openshift-apiserver                                apiserver-c95cd4bfd-nbm26                                 24m          227Mi           
openshift-apiserver-operator                       openshift-apiserver-operator-54ff4fb46f-jnxzn             16m          98Mi            
openshift-authentication                           oauth-openshift-8bcb6778d-lnqvj                           4m           49Mi            
openshift-authentication                           oauth-openshift-8bcb6778d-svffg                           3m           37Mi            
openshift-authentication-operator                  authentication-operator-5687669dcd-5vrmk                  29m          102Mi           
openshift-cloud-credential-operator                cloud-credential-operator-5bc7bbcdc5-w2hwt                2m           98Mi            
openshift-cluster-machine-approver                 machine-approver-6bbc78c46b-mmzdf                         0m           49Mi            
openshift-cluster-node-tuning-operator             cluster-node-tuning-operator-57d7f9b947-xkrd8             0m           25Mi            

Enhanced Platform Awareness in Red Hat OpenShift


Four part series published on

Enhanced Platform Awareness (EPA) in OpenShift — Part I, HugePages

Enhanced Platform Awareness (EPA) in OpenShift — Part II, CPU pinning

Enhanced Platform Awareness (EPA) in OpenShift — Part III, NUMA Topology Awareness

Enhanced Platform Awareness (EPA) in OpenShift — Part IV, SR-IOV, DPDK and RDMA