Hi Paul,
I have the following need:
1) Use one time configuration (either create a "user" or a
"serviceaccount") to create the following:
- ReplicationController with a PodTemplate that requires privileged
and hostPath mounts enabled.
Currently I have to create a serviceaccount per namespace/project for this
to work which is very hard to keep track of and not desired.
By using a user account and adding this user to scc "privileged", the error
posted earlier (see below) still shows up.
Can you pls let me know what I am missing here?
Thanks,
- Adi.
On Wed, Apr 12, 2017 at 10:48 AM, Aditya Somasundara <
[email protected]> wrote:
> Thanks Paul! It works now as expected.
>
> On Wed, Apr 12, 2017 at 10:16 AM, Paul Weil <[email protected]> wrote:
>
>> Hi Aditya. If you can create the pod directly when logged in as that
>> service account it sounds like the grant is good to go. Did you specify
>> the avi service account on the podSpec.serviceAccountName? If not then it
>> is running with the default service account still and doesn't have access
>> to the new SCC. Please try updating the pod template in the RC.
>>
>> On Wed, Apr 12, 2017 at 1:09 PM, Aditya Somasundara <
>> [email protected]> wrote:
>>
>>> Hi,
>>> I have created a security context constraint for a service account as
>>> listed below with permissions to create privileged containers and mount
>>> hostPaths. By logging into this service account I am not able to create a
>>> ReplicationController with a privileged Pod template, however I am able to
>>> create privileged Pods. I am not sure what's missing in this config.
>>>
>>> Thanks,
>>> - Adi.
>>>
>>> *clusterrole =>*
>>> [root@localhost kubes]# oc describe clusterrole *avirole*
>>> Name: avirole
>>> Namespace: <none>
>>> Created: 15 hours ago
>>> Labels: <none>
>>> Annotations: <none>
>>> Verbs Non-Resource URLs Extension Resource
>>> Names API Groups Resources
>>> [get list watch] [] []
>>> [] [*]
>>> [patch update] [] []
>>> [] [routes/status]
>>> [***] [] []
>>> [] [*pods replicationcontrollers services*]
>>>
>>> *SecurityContextConstraint =>*
>>> [root@localhost kubes]# oc describe scc avi-scc
>>> Name: avi-scc
>>> Priority: <none>
>>> Access:
>>> Users:
>>> system:serviceaccount:default:avi
>>> Groups: <none>
>>> Settings:
>>> * Allow Privileged: true*
>>> Default Add Capabilities: <none>
>>> Required Drop Capabilities: <none>
>>> Allowed Capabilities: <none>
>>> * Allowed Volume Types: **
>>> Allow Host Network: true
>>> Allow Host Ports: true
>>> Allow Host PID: false
>>> Allow Host IPC: false
>>> Read Only Root Filesystem: false
>>> Run As User Strategy: RunAsAny
>>> UID: <none>
>>> UID Range Min: <none>
>>> UID Range Max: <none>
>>> SELinux Context Strategy: RunAsAny
>>> User: <none>
>>> Role: <none>
>>> Type: <none>
>>> Level: <none>
>>> FSGroup Strategy: RunAsAny
>>> Ranges: <none>
>>> Supplemental Groups Strategy: RunAsAny
>>> Ranges: <none>
>>>
>>> *ReplicationController =>*
>>> [root@localhost kubes]# kubectl get rc
>>> NAME DESIRED CURRENT READY AGE
>>> *avi-egress-1 1 0 0 15h*
>>> docker-registry-1 0 0 0 15h
>>> registry-console-1 1 1 1 15h
>>> router-1 0 0 0 15h
>>> [root@localhost kubes]# kubectl describe rc avi-egress-1
>>> Name: avi-egress-1
>>> Namespace: default
>>> Image(s): avinetworks/avi-egress-router
>>> Selector: name=avi-egress-1
>>> Labels: name=avi-egress-1
>>> Replicas: 0 current / 1 desired
>>> Pods Status: 0 Running / 0 Waiting / 0 Succeeded / 0 Failed
>>> Volumes:
>>> run:
>>> Type: HostPath (bare host directory volume)
>>> Path: /var/run
>>> ns1:
>>> Type: HostPath (bare host directory volume)
>>> Path: /proc/1/ns/net
>>> Events:
>>> FirstSeen LastSeen Count From
>>> SubobjectPath Type Reason Message
>>> --------- -------- ----- ----
>>> ------------- -------- ------ -------
>>> 15h 5m 164 {replication-controller }
>>> Warning FailedCreate * Error creating: pods
>>> "avi-egress-1-" is forbidden: unable to validate against any security
>>> context constraint: [spec.containers[0].securityContext.privileged: Invalid
>>> value: true: Privileged containers are not allowed
>>> spec.containers[0].securityContext.volumes[0]: Invalid value: "hostPath":
>>> hostPath volumes are not allowed to be used
>>> spec.containers[0].securityContext.volumes[1]: Invalid value: "hostPath":
>>> hostPath volumes are not allowed to be used]*
>>>
>>> _______________________________________________
>>> dev mailing list
>>> [email protected]
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>>
>>>
>>
>
_______________________________________________
dev mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
