There is this daemonset which needs host access. I've created a namespace, added `privileged` scc to a new serviceaccount and set pod to run with that SA.
The problem is openshift is not applying the privileged SCC to my serviceAccount. *$ oc get ev* LASTSEEN FIRSTSEEN COUNT NAME KIND SUBOBJECT TYPE REASON SOURCE MESSAGE 17s 17s 25 newrelic-agent DaemonSet Warning FailedCreate daemon-set Error creating: pods "newrelic-agent-" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used provider restricted: .spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used provider restricted: .spec.securityContext.hostIPC: Invalid value: true: Host IPC is not allowed to be used provider restricted: .spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed provider restricted: .spec.containers[0].securityContext.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used provider restricted: .spec.containers[0].securityContext.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used provider restricted: .spec.containers[0].securityContext.volumes[3]: Invalid value: "hostPath": hostPath volumes are not allowed to be used provider restricted: .spec.containers[0].securityContext.volumes[4]: Invalid value: "hostPath": hostPath volumes are not allowed to be used provider restricted: .spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used provider restricted: .spec.containers[0].securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used provider restricted: .spec.containers[0].securityContext.hostIPC: Invalid value: true: Host IPC is not allowed to be used] This is my config: *$ oc version* oc v3.6.0+c4dd4cf kubernetes v1.6.1+5115d708d7 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://[REDACTED] openshift v3.6.0+c4dd4cf kubernetes v1.6.1+5115d708d7 *$ oc whoami* system:admin *$ oc get ds -o yaml -n new-relic* apiVersion: v1 items: - apiVersion: extensions/v1beta1 kind: DaemonSet metadata: creationTimestamp: 2017-12-18T18:20:42Z generation: 1 labels: app: newrelic-agent tier: monitoring version: v1 name: newrelic-agent namespace: new-relic resourceVersion: "9280118" selfLink: /apis/extensions/v1beta1/namespaces/new-relic/daemonsets/newrelic-agent uid: 286ed3c9-e420-11e7-aa46-000af7b3efa4 spec: selector: matchLabels: name: newrelic template: metadata: creationTimestamp: null labels: name: newrelic spec: containers: - command: - bash - -c - source /etc/kube-newrelic/config && /usr/sbin/nrsysmond -E -F env: - name: NRSYSMOND_logfile value: /var/log/nrsysmond.log image: newrelic/nrsysmond imagePullPolicy: Always name: newrelic resources: requests: cpu: 150m securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /etc/kube-newrelic name: newrelic-config readOnly: true - mountPath: /dev name: dev - mountPath: /var/run/docker.sock name: run - mountPath: /sys name: sys - mountPath: /var/log name: log dnsPolicy: ClusterFirst hostIPC: true hostNetwork: true hostPID: true restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: new-relic serviceAccountName: new-relic terminationGracePeriodSeconds: 30 volumes: - name: newrelic-config secret: defaultMode: 420 secretName: newrelic-config - hostPath: path: /dev name: dev - hostPath: path: /var/run/docker.sock name: run - hostPath: path: /sys name: sys - hostPath: path: /var/log name: log templateGeneration: 1 updateStrategy: type: OnDelete status: currentNumberScheduled: 0 desiredNumberScheduled: 0 numberMisscheduled: 0 numberReady: 0 kind: List metadata: {} resourceVersion: "" selfLink: "" *$ oc get scc* ...[cut] - allowHostDirVolumePlugin: true allowHostIPC: true allowHostNetwork: true allowHostPID: true allowHostPorts: true allowPrivilegedContainer: true allowedCapabilities: - '*' apiVersion: v1 defaultAddCapabilities: [] fsGroup: type: RunAsAny groups: - system:cluster-admins - system:nodes kind: SecurityContextConstraints metadata: annotations: kubernetes.io/description: 'privileged allows access to all privileged and host features and the ability to run as any user, any group, any fsGroup, and with any SELinux context. WARNING: this is the most relaxed SCC and should be used only for cluster administration. Grant with caution.' creationTimestamp: 2017-10-05T19:28:00Z name: privileged namespace: "" resourceVersion: "9278361" selfLink: /api/v1/securitycontextconstraints/privileged uid: 4cd4dab7-aa03-11e7-afc6-000af7b3f4a4 priority: null readOnlyRootFilesystem: false requiredDropCapabilities: [] runAsUser: type: RunAsAny seLinuxContext: type: RunAsAny seccompProfiles: - '*' supplementalGroups: type: RunAsAny users: - system:serviceaccount:openshift-infra:build-controller - system:serviceaccount:management-infra:management-admin - system:serviceaccount:management-infra:inspector-admin - system:serviceaccount:default:registry - system:serviceaccount:aws-logging-fluentd:aws-logging-fluentd - system:serviceaccount:logging-test-deploy:aws-logging-fluentd - system:serviceaccount:default:logging-newrelic - system:serviceaccount:default:default * - system:serviceaccount:new-relic:default - system:serviceaccount:new-relic:new-relic* volumes: - '*' -- Mateus Caruccio / Master of Puppets GetupCloud.com We make the infrastructure invisible Gartner Cool Vendor 2017
_______________________________________________ dev mailing list dev@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
