Hi Aditya. If you can create the pod directly when logged in as that service account it sounds like the grant is good to go. Did you specify the avi service account on the podSpec.serviceAccountName? If not then it is running with the default service account still and doesn't have access to the new SCC. Please try updating the pod template in the RC.
On Wed, Apr 12, 2017 at 1:09 PM, Aditya Somasundara < [email protected]> wrote: > Hi, > I have created a security context constraint for a service account as > listed below with permissions to create privileged containers and mount > hostPaths. By logging into this service account I am not able to create a > ReplicationController with a privileged Pod template, however I am able to > create privileged Pods. I am not sure what's missing in this config. > > Thanks, > - Adi. > > *clusterrole =>* > [root@localhost kubes]# oc describe clusterrole *avirole* > Name: avirole > Namespace: <none> > Created: 15 hours ago > Labels: <none> > Annotations: <none> > Verbs Non-Resource URLs Extension Resource > Names API Groups Resources > [get list watch] [] [] > [] [*] > [patch update] [] [] > [] [routes/status] > [***] [] [] > [] [*pods replicationcontrollers services*] > > *SecurityContextConstraint =>* > [root@localhost kubes]# oc describe scc avi-scc > Name: avi-scc > Priority: <none> > Access: > Users: system:serviceaccount: > default:avi > Groups: <none> > Settings: > * Allow Privileged: true* > Default Add Capabilities: <none> > Required Drop Capabilities: <none> > Allowed Capabilities: <none> > * Allowed Volume Types: ** > Allow Host Network: true > Allow Host Ports: true > Allow Host PID: false > Allow Host IPC: false > Read Only Root Filesystem: false > Run As User Strategy: RunAsAny > UID: <none> > UID Range Min: <none> > UID Range Max: <none> > SELinux Context Strategy: RunAsAny > User: <none> > Role: <none> > Type: <none> > Level: <none> > FSGroup Strategy: RunAsAny > Ranges: <none> > Supplemental Groups Strategy: RunAsAny > Ranges: <none> > > *ReplicationController =>* > [root@localhost kubes]# kubectl get rc > NAME DESIRED CURRENT READY AGE > *avi-egress-1 1 0 0 15h* > docker-registry-1 0 0 0 15h > registry-console-1 1 1 1 15h > router-1 0 0 0 15h > [root@localhost kubes]# kubectl describe rc avi-egress-1 > Name: avi-egress-1 > Namespace: default > Image(s): avinetworks/avi-egress-router > Selector: name=avi-egress-1 > Labels: name=avi-egress-1 > Replicas: 0 current / 1 desired > Pods Status: 0 Running / 0 Waiting / 0 Succeeded / 0 Failed > Volumes: > run: > Type: HostPath (bare host directory volume) > Path: /var/run > ns1: > Type: HostPath (bare host directory volume) > Path: /proc/1/ns/net > Events: > FirstSeen LastSeen Count From > SubobjectPath Type Reason Message > --------- -------- ----- ---- > ------------- -------- ------ ------- > 15h 5m 164 {replication-controller } > Warning FailedCreate * Error creating: pods > "avi-egress-1-" is forbidden: unable to validate against any security > context constraint: [spec.containers[0].securityContext.privileged: Invalid > value: true: Privileged containers are not allowed > spec.containers[0].securityContext.volumes[0]: Invalid value: "hostPath": > hostPath volumes are not allowed to be used > spec.containers[0].securityContext.volumes[1]: Invalid value: "hostPath": > hostPath volumes are not allowed to be used]* > > _______________________________________________ > dev mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev > >
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
