Hi: I think you make some misunderstanding with OpenShift.
Actually you create a daemonset with a specific serviceaccount you created which is granted with the SCC privileged, right? But the scc is trying to verify the creater account(you can see this with audit enabled), and should be daemonset-controller or something like this but not the given serviceaccount). So you grant the new-relic account, but the creater is daemonset-controller(just put it here, maybe this is also not the right serviceaccount to create the target pod), so got this issue. And back to your scenario, I have no better suggestion if you insistently use daemonset to create the pod. You can pick up the pod template from the daemonset to just create the pod directly and grant the scc with your user(`oc whoami`) but will loss the daemonset features. Regards! On Tue, Dec 19, 2017 at 3:01 AM Mateus Caruccio < [email protected]> wrote: > There is this daemonset which needs host access. I've created a namespace, > added `privileged` scc to a new serviceaccount and set pod to run with that > SA. > > The problem is openshift is not applying the privileged SCC to my > serviceAccount. > > *$ oc get ev* > LASTSEEN FIRSTSEEN COUNT NAME KIND SUBOBJECT > TYPE REASON SOURCE MESSAGE > 17s 17s 25 newrelic-agent DaemonSet > Warning FailedCreate daemon-set Error creating: pods > "newrelic-agent-" is forbidden: unable to validate against any security > context constraint: [provider restricted: > .spec.securityContext.hostNetwork: Invalid value: true: Host network is not > allowed to be used provider restricted: .spec.securityContext.hostPID: > Invalid value: true: Host PID is not allowed to be used provider > restricted: .spec.securityContext.hostIPC: Invalid value: true: Host IPC is > not allowed to be used provider restricted: > .spec.containers[0].securityContext.privileged: Invalid value: true: > Privileged containers are not allowed provider restricted: > .spec.containers[0].securityContext.volumes[1]: Invalid value: "hostPath": > hostPath volumes are not allowed to be used provider restricted: > .spec.containers[0].securityContext.volumes[2]: Invalid value: "hostPath": > hostPath volumes are not allowed to be used provider restricted: > .spec.containers[0].securityContext.volumes[3]: Invalid value: "hostPath": > hostPath volumes are not allowed to be used provider restricted: > .spec.containers[0].securityContext.volumes[4]: Invalid value: "hostPath": > hostPath volumes are not allowed to be used provider restricted: > .spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host > network is not allowed to be used provider restricted: > .spec.containers[0].securityContext.hostPID: Invalid value: true: Host PID > is not allowed to be used provider restricted: > .spec.containers[0].securityContext.hostIPC: Invalid value: true: Host IPC > is not allowed to be used] > > > This is my config: > > > *$ oc version* > oc v3.6.0+c4dd4cf > kubernetes v1.6.1+5115d708d7 > features: Basic-Auth GSSAPI Kerberos SPNEGO > > Server https://[REDACTED] > openshift v3.6.0+c4dd4cf > kubernetes v1.6.1+5115d708d7 > > > *$ oc whoami* > system:admin > > > *$ oc get ds -o yaml -n new-relic* > apiVersion: v1 > items: > - apiVersion: extensions/v1beta1 > kind: DaemonSet > metadata: > creationTimestamp: 2017-12-18T18:20:42Z > generation: 1 > labels: > app: newrelic-agent > tier: monitoring > version: v1 > name: newrelic-agent > namespace: new-relic > resourceVersion: "9280118" > selfLink: > /apis/extensions/v1beta1/namespaces/new-relic/daemonsets/newrelic-agent > uid: 286ed3c9-e420-11e7-aa46-000af7b3efa4 > spec: > selector: > matchLabels: > name: newrelic > template: > metadata: > creationTimestamp: null > labels: > name: newrelic > spec: > containers: > - command: > - bash > - -c > - source /etc/kube-newrelic/config && /usr/sbin/nrsysmond -E -F > env: > - name: NRSYSMOND_logfile > value: /var/log/nrsysmond.log > image: newrelic/nrsysmond > imagePullPolicy: Always > name: newrelic > resources: > requests: > cpu: 150m > securityContext: > privileged: true > terminationMessagePath: /dev/termination-log > terminationMessagePolicy: File > volumeMounts: > - mountPath: /etc/kube-newrelic > name: newrelic-config > readOnly: true > - mountPath: /dev > name: dev > - mountPath: /var/run/docker.sock > name: run > - mountPath: /sys > name: sys > - mountPath: /var/log > name: log > dnsPolicy: ClusterFirst > hostIPC: true > hostNetwork: true > hostPID: true > restartPolicy: Always > schedulerName: default-scheduler > securityContext: {} > serviceAccount: new-relic > serviceAccountName: new-relic > terminationGracePeriodSeconds: 30 > volumes: > - name: newrelic-config > secret: > defaultMode: 420 > secretName: newrelic-config > - hostPath: > path: /dev > name: dev > - hostPath: > path: /var/run/docker.sock > name: run > - hostPath: > path: /sys > name: sys > - hostPath: > path: /var/log > name: log > templateGeneration: 1 > updateStrategy: > type: OnDelete > status: > currentNumberScheduled: 0 > desiredNumberScheduled: 0 > numberMisscheduled: 0 > numberReady: 0 > kind: List > metadata: {} > resourceVersion: "" > selfLink: "" > > > *$ oc get scc* > ...[cut] > - allowHostDirVolumePlugin: true > allowHostIPC: true > allowHostNetwork: true > allowHostPID: true > allowHostPorts: true > allowPrivilegedContainer: true > allowedCapabilities: > - '*' > apiVersion: v1 > defaultAddCapabilities: [] > fsGroup: > type: RunAsAny > groups: > - system:cluster-admins > - system:nodes > kind: SecurityContextConstraints > metadata: > annotations: > kubernetes.io/description: 'privileged allows access to all > privileged and host > features and the ability to run as any user, any group, any > fsGroup, and with > any SELinux context. WARNING: this is the most relaxed SCC and > should be > used only for cluster administration. Grant with caution.' > creationTimestamp: 2017-10-05T19:28:00Z > name: privileged > namespace: "" > resourceVersion: "9278361" > selfLink: /api/v1/securitycontextconstraints/privileged > uid: 4cd4dab7-aa03-11e7-afc6-000af7b3f4a4 > priority: null > readOnlyRootFilesystem: false > requiredDropCapabilities: [] > runAsUser: > type: RunAsAny > seLinuxContext: > type: RunAsAny > seccompProfiles: > - '*' > supplementalGroups: > type: RunAsAny > users: > - system:serviceaccount:openshift-infra:build-controller > - system:serviceaccount:management-infra:management-admin > - system:serviceaccount:management-infra:inspector-admin > - system:serviceaccount:default:registry > - system:serviceaccount:aws-logging-fluentd:aws-logging-fluentd > - system:serviceaccount:logging-test-deploy:aws-logging-fluentd > - system:serviceaccount:default:logging-newrelic > - system:serviceaccount:default:default > > * - system:serviceaccount:new-relic:default - > system:serviceaccount:new-relic:new-relic* > volumes: > - '*' > > -- > Mateus Caruccio / Master of Puppets > GetupCloud.com > We make the infrastructure invisible > Gartner Cool Vendor 2017 > _______________________________________________ > dev mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
