On Wed, Apr 12, 2017 at 8:34 PM, Aditya Somasundara < [email protected]> wrote:
> Hi Paul, > I have the following need: > > 1) Use one time configuration (either create a "user" or a > "serviceaccount") to create the following: > - ReplicationController with a PodTemplate that requires privileged > and hostPath mounts enabled. > > Currently I have to create a serviceaccount per namespace/project for this > to work which is very hard to keep track of and not desired. > By using a user account and adding this user to scc "privileged", the > error posted earlier (see below) still shows up. > > Can you pls let me know what I am missing here? > Hi Adi. This is because by creating an RC you are asking the system to create the pod on your behalf. The RC is submitted by the user account but the pod itself is submitted by the system and the "user" is actually the RC controller. This is why you need to provide the service account that the pod will run as. During admission the SCC plugin checks SCC access for both the user (in this case the unprivileged RC controller) and the SA (who you've granted privileged access to). This is applicable to all resources that are created on behalf of a user by a system controller. I hope that clears up why the SA is necessary in this case. > > Thanks, > - Adi. > > On Wed, Apr 12, 2017 at 10:48 AM, Aditya Somasundara < > [email protected]> wrote: > >> Thanks Paul! It works now as expected. >> >> On Wed, Apr 12, 2017 at 10:16 AM, Paul Weil <[email protected]> wrote: >> >>> Hi Aditya. If you can create the pod directly when logged in as that >>> service account it sounds like the grant is good to go. Did you specify >>> the avi service account on the podSpec.serviceAccountName? If not then it >>> is running with the default service account still and doesn't have access >>> to the new SCC. Please try updating the pod template in the RC. >>> >>> On Wed, Apr 12, 2017 at 1:09 PM, Aditya Somasundara < >>> [email protected]> wrote: >>> >>>> Hi, >>>> I have created a security context constraint for a service account >>>> as listed below with permissions to create privileged containers and mount >>>> hostPaths. By logging into this service account I am not able to create a >>>> ReplicationController with a privileged Pod template, however I am able to >>>> create privileged Pods. I am not sure what's missing in this config. >>>> >>>> Thanks, >>>> - Adi. >>>> >>>> *clusterrole =>* >>>> [root@localhost kubes]# oc describe clusterrole *avirole* >>>> Name: avirole >>>> Namespace: <none> >>>> Created: 15 hours ago >>>> Labels: <none> >>>> Annotations: <none> >>>> Verbs Non-Resource URLs Extension >>>> Resource Names API Groups Resources >>>> [get list watch] [] [] >>>> [] [*] >>>> [patch update] [] [] >>>> [] [routes/status] >>>> [***] [] [] >>>> [] [*pods replicationcontrollers services*] >>>> >>>> *SecurityContextConstraint =>* >>>> [root@localhost kubes]# oc describe scc avi-scc >>>> Name: avi-scc >>>> Priority: <none> >>>> Access: >>>> Users: >>>> system:serviceaccount:default:avi >>>> Groups: <none> >>>> Settings: >>>> * Allow Privileged: true* >>>> Default Add Capabilities: <none> >>>> Required Drop Capabilities: <none> >>>> Allowed Capabilities: <none> >>>> * Allowed Volume Types: ** >>>> Allow Host Network: true >>>> Allow Host Ports: true >>>> Allow Host PID: false >>>> Allow Host IPC: false >>>> Read Only Root Filesystem: false >>>> Run As User Strategy: RunAsAny >>>> UID: <none> >>>> UID Range Min: <none> >>>> UID Range Max: <none> >>>> SELinux Context Strategy: RunAsAny >>>> User: <none> >>>> Role: <none> >>>> Type: <none> >>>> Level: <none> >>>> FSGroup Strategy: RunAsAny >>>> Ranges: <none> >>>> Supplemental Groups Strategy: RunAsAny >>>> Ranges: <none> >>>> >>>> *ReplicationController =>* >>>> [root@localhost kubes]# kubectl get rc >>>> NAME DESIRED CURRENT READY AGE >>>> *avi-egress-1 1 0 0 15h* >>>> docker-registry-1 0 0 0 15h >>>> registry-console-1 1 1 1 15h >>>> router-1 0 0 0 15h >>>> [root@localhost kubes]# kubectl describe rc avi-egress-1 >>>> Name: avi-egress-1 >>>> Namespace: default >>>> Image(s): avinetworks/avi-egress-router >>>> Selector: name=avi-egress-1 >>>> Labels: name=avi-egress-1 >>>> Replicas: 0 current / 1 desired >>>> Pods Status: 0 Running / 0 Waiting / 0 Succeeded / 0 Failed >>>> Volumes: >>>> run: >>>> Type: HostPath (bare host directory volume) >>>> Path: /var/run >>>> ns1: >>>> Type: HostPath (bare host directory volume) >>>> Path: /proc/1/ns/net >>>> Events: >>>> FirstSeen LastSeen Count From >>>> SubobjectPath Type Reason Message >>>> --------- -------- ----- ---- >>>> ------------- -------- ------ ------- >>>> 15h 5m 164 {replication-controller } >>>> Warning FailedCreate * Error creating: pods >>>> "avi-egress-1-" is forbidden: unable to validate against any security >>>> context constraint: [spec.containers[0].securityContext.privileged: Invalid >>>> value: true: Privileged containers are not allowed >>>> spec.containers[0].securityContext.volumes[0]: Invalid value: "hostPath": >>>> hostPath volumes are not allowed to be used >>>> spec.containers[0].securityContext.volumes[1]: Invalid value: "hostPath": >>>> hostPath volumes are not allowed to be used]* >>>> >>>> _______________________________________________ >>>> dev mailing list >>>> [email protected] >>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >>>> >>>> >>> >> >
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
