Hi,
I have created a security context constraint for a service account as
listed below with permissions to create privileged containers and mount
hostPaths. By logging into this service account I am not able to create a
ReplicationController with a privileged Pod template, however I am able to
create privileged Pods. I am not sure what's missing in this config.
Thanks,
- Adi.
*clusterrole =>*
[root@localhost kubes]# oc describe clusterrole *avirole*
Name: avirole
Namespace: <none>
Created: 15 hours ago
Labels: <none>
Annotations: <none>
Verbs Non-Resource URLs Extension Resource
Names API Groups Resources
[get list watch] [] []
[] [*]
[patch update] [] []
[] [routes/status]
[***] [] []
[] [*pods replicationcontrollers services*]
*SecurityContextConstraint =>*
[root@localhost kubes]# oc describe scc avi-scc
Name: avi-scc
Priority: <none>
Access:
Users:
system:serviceaccount:default:avi
Groups: <none>
Settings:
* Allow Privileged: true*
Default Add Capabilities: <none>
Required Drop Capabilities: <none>
Allowed Capabilities: <none>
* Allowed Volume Types: **
Allow Host Network: true
Allow Host Ports: true
Allow Host PID: false
Allow Host IPC: false
Read Only Root Filesystem: false
Run As User Strategy: RunAsAny
UID: <none>
UID Range Min: <none>
UID Range Max: <none>
SELinux Context Strategy: RunAsAny
User: <none>
Role: <none>
Type: <none>
Level: <none>
FSGroup Strategy: RunAsAny
Ranges: <none>
Supplemental Groups Strategy: RunAsAny
Ranges: <none>
*ReplicationController =>*
[root@localhost kubes]# kubectl get rc
NAME DESIRED CURRENT READY AGE
*avi-egress-1 1 0 0 15h*
docker-registry-1 0 0 0 15h
registry-console-1 1 1 1 15h
router-1 0 0 0 15h
[root@localhost kubes]# kubectl describe rc avi-egress-1
Name: avi-egress-1
Namespace: default
Image(s): avinetworks/avi-egress-router
Selector: name=avi-egress-1
Labels: name=avi-egress-1
Replicas: 0 current / 1 desired
Pods Status: 0 Running / 0 Waiting / 0 Succeeded / 0 Failed
Volumes:
run:
Type: HostPath (bare host directory volume)
Path: /var/run
ns1:
Type: HostPath (bare host directory volume)
Path: /proc/1/ns/net
Events:
FirstSeen LastSeen Count From
SubobjectPath Type Reason Message
--------- -------- ----- ----
------------- -------- ------ -------
15h 5m 164 {replication-controller }
Warning FailedCreate * Error creating: pods
"avi-egress-1-" is forbidden: unable to validate against any security
context constraint: [spec.containers[0].securityContext.privileged: Invalid
value: true: Privileged containers are not allowed
spec.containers[0].securityContext.volumes[0]: Invalid value: "hostPath":
hostPath volumes are not allowed to be used
spec.containers[0].securityContext.volumes[1]: Invalid value: "hostPath":
hostPath volumes are not allowed to be used]*
_______________________________________________
dev mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
