Thanks Paul! It works now as expected. On Wed, Apr 12, 2017 at 10:16 AM, Paul Weil <[email protected]> wrote:
> Hi Aditya. If you can create the pod directly when logged in as that > service account it sounds like the grant is good to go. Did you specify > the avi service account on the podSpec.serviceAccountName? If not then it > is running with the default service account still and doesn't have access > to the new SCC. Please try updating the pod template in the RC. > > On Wed, Apr 12, 2017 at 1:09 PM, Aditya Somasundara < > [email protected]> wrote: > >> Hi, >> I have created a security context constraint for a service account as >> listed below with permissions to create privileged containers and mount >> hostPaths. By logging into this service account I am not able to create a >> ReplicationController with a privileged Pod template, however I am able to >> create privileged Pods. I am not sure what's missing in this config. >> >> Thanks, >> - Adi. >> >> *clusterrole =>* >> [root@localhost kubes]# oc describe clusterrole *avirole* >> Name: avirole >> Namespace: <none> >> Created: 15 hours ago >> Labels: <none> >> Annotations: <none> >> Verbs Non-Resource URLs Extension Resource >> Names API Groups Resources >> [get list watch] [] [] >> [] [*] >> [patch update] [] [] >> [] [routes/status] >> [***] [] [] >> [] [*pods replicationcontrollers services*] >> >> *SecurityContextConstraint =>* >> [root@localhost kubes]# oc describe scc avi-scc >> Name: avi-scc >> Priority: <none> >> Access: >> Users: >> system:serviceaccount:default:avi >> Groups: <none> >> Settings: >> * Allow Privileged: true* >> Default Add Capabilities: <none> >> Required Drop Capabilities: <none> >> Allowed Capabilities: <none> >> * Allowed Volume Types: ** >> Allow Host Network: true >> Allow Host Ports: true >> Allow Host PID: false >> Allow Host IPC: false >> Read Only Root Filesystem: false >> Run As User Strategy: RunAsAny >> UID: <none> >> UID Range Min: <none> >> UID Range Max: <none> >> SELinux Context Strategy: RunAsAny >> User: <none> >> Role: <none> >> Type: <none> >> Level: <none> >> FSGroup Strategy: RunAsAny >> Ranges: <none> >> Supplemental Groups Strategy: RunAsAny >> Ranges: <none> >> >> *ReplicationController =>* >> [root@localhost kubes]# kubectl get rc >> NAME DESIRED CURRENT READY AGE >> *avi-egress-1 1 0 0 15h* >> docker-registry-1 0 0 0 15h >> registry-console-1 1 1 1 15h >> router-1 0 0 0 15h >> [root@localhost kubes]# kubectl describe rc avi-egress-1 >> Name: avi-egress-1 >> Namespace: default >> Image(s): avinetworks/avi-egress-router >> Selector: name=avi-egress-1 >> Labels: name=avi-egress-1 >> Replicas: 0 current / 1 desired >> Pods Status: 0 Running / 0 Waiting / 0 Succeeded / 0 Failed >> Volumes: >> run: >> Type: HostPath (bare host directory volume) >> Path: /var/run >> ns1: >> Type: HostPath (bare host directory volume) >> Path: /proc/1/ns/net >> Events: >> FirstSeen LastSeen Count From >> SubobjectPath Type Reason Message >> --------- -------- ----- ---- >> ------------- -------- ------ ------- >> 15h 5m 164 {replication-controller } >> Warning FailedCreate * Error creating: pods >> "avi-egress-1-" is forbidden: unable to validate against any security >> context constraint: [spec.containers[0].securityContext.privileged: Invalid >> value: true: Privileged containers are not allowed >> spec.containers[0].securityContext.volumes[0]: Invalid value: "hostPath": >> hostPath volumes are not allowed to be used >> spec.containers[0].securityContext.volumes[1]: Invalid value: "hostPath": >> hostPath volumes are not allowed to be used]* >> >> _______________________________________________ >> dev mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >> >> >
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
