Makes sense. Thanks for your clarification ;)

--
Mateus Caruccio / Master of Puppets
GetupCloud.com
We make the infrastructure invisible
Gartner Cool Vendor 2017

2017-12-19 4:48 GMT-02:00 Weiwei Jiang <wji...@redhat.com>:

> Hi:
>
> I think you make some misunderstanding with OpenShift.
>
> Actually you create a daemonset with a specific serviceaccount you created
> which is granted with the SCC privileged, right?
> But the scc is trying to verify the creater account(you can see this with
> audit enabled), and should be daemonset-controller or something like this
> but not the given serviceaccount).
> So you grant the new-relic account, but the creater is
> daemonset-controller(just put it here, maybe this is also not the right
> serviceaccount to create the target pod), so got this issue.
>
> And back to your scenario, I have no better suggestion if you insistently
> use daemonset to create the pod.
>
> You can pick up the pod template from the daemonset to just create the pod
> directly and grant the scc with your user(`oc whoami`) but will loss the
> daemonset features.
>
>
> Regards!
>
> On Tue, Dec 19, 2017 at 3:01 AM Mateus Caruccio <
> mateus.caruc...@getupcloud.com> wrote:
>
>> There is this daemonset which needs host access. I've created a
>> namespace, added `privileged` scc to a new serviceaccount and set pod to
>> run with that SA.
>>
>> The problem is openshift is not applying the privileged SCC to my
>> serviceAccount.
>>
>> *$ oc get ev*
>> LASTSEEN   FIRSTSEEN   COUNT     NAME             KIND        SUBOBJECT
>> TYPE      REASON         SOURCE       MESSAGE
>> 17s        17s         25        newrelic-agent   DaemonSet
>> Warning   FailedCreate   daemon-set   Error creating: pods
>> "newrelic-agent-" is forbidden: unable to validate against any security
>> context constraint: [provider restricted: .spec.securityContext.hostNetwork:
>> Invalid value: true: Host network is not allowed to be used provider
>> restricted: .spec.securityContext.hostPID: Invalid value: true: Host PID is
>> not allowed to be used provider restricted: .spec.securityContext.hostIPC:
>> Invalid value: true: Host IPC is not allowed to be used provider
>> restricted: .spec.containers[0].securityContext.privileged: Invalid
>> value: true: Privileged containers are not allowed provider restricted:
>> .spec.containers[0].securityContext.volumes[1]: Invalid value:
>> "hostPath": hostPath volumes are not allowed to be used provider
>> restricted: .spec.containers[0].securityContext.volumes[2]: Invalid
>> value: "hostPath": hostPath volumes are not allowed to be used provider
>> restricted: .spec.containers[0].securityContext.volumes[3]: Invalid
>> value: "hostPath": hostPath volumes are not allowed to be used provider
>> restricted: .spec.containers[0].securityContext.volumes[4]: Invalid
>> value: "hostPath": hostPath volumes are not allowed to be used provider
>> restricted: .spec.containers[0].securityContext.hostNetwork: Invalid
>> value: true: Host network is not allowed to be used provider restricted:
>> .spec.containers[0].securityContext.hostPID: Invalid value: true: Host
>> PID is not allowed to be used provider restricted: 
>> .spec.containers[0].securityContext.hostIPC:
>> Invalid value: true: Host IPC is not allowed to be used]
>>
>>
>> This is my config:
>>
>>
>> *$ oc version*
>> oc v3.6.0+c4dd4cf
>> kubernetes v1.6.1+5115d708d7
>> features: Basic-Auth GSSAPI Kerberos SPNEGO
>>
>> Server https://[REDACTED]
>> openshift v3.6.0+c4dd4cf
>> kubernetes v1.6.1+5115d708d7
>>
>>
>> *$ oc whoami*
>> system:admin
>>
>>
>> *$ oc get ds -o yaml -n new-relic*
>> apiVersion: v1
>> items:
>> - apiVersion: extensions/v1beta1
>>   kind: DaemonSet
>>   metadata:
>>     creationTimestamp: 2017-12-18T18:20:42Z
>>     generation: 1
>>     labels:
>>       app: newrelic-agent
>>       tier: monitoring
>>       version: v1
>>     name: newrelic-agent
>>     namespace: new-relic
>>     resourceVersion: "9280118"
>>     selfLink: /apis/extensions/v1beta1/namespaces/new-relic/
>> daemonsets/newrelic-agent
>>     uid: 286ed3c9-e420-11e7-aa46-000af7b3efa4
>>   spec:
>>     selector:
>>       matchLabels:
>>         name: newrelic
>>     template:
>>       metadata:
>>         creationTimestamp: null
>>         labels:
>>           name: newrelic
>>       spec:
>>         containers:
>>         - command:
>>           - bash
>>           - -c
>>           - source /etc/kube-newrelic/config && /usr/sbin/nrsysmond -E -F
>>           env:
>>           - name: NRSYSMOND_logfile
>>             value: /var/log/nrsysmond.log
>>           image: newrelic/nrsysmond
>>           imagePullPolicy: Always
>>           name: newrelic
>>           resources:
>>             requests:
>>               cpu: 150m
>>           securityContext:
>>             privileged: true
>>           terminationMessagePath: /dev/termination-log
>>           terminationMessagePolicy: File
>>           volumeMounts:
>>           - mountPath: /etc/kube-newrelic
>>             name: newrelic-config
>>             readOnly: true
>>           - mountPath: /dev
>>             name: dev
>>           - mountPath: /var/run/docker.sock
>>             name: run
>>           - mountPath: /sys
>>             name: sys
>>           - mountPath: /var/log
>>             name: log
>>         dnsPolicy: ClusterFirst
>>         hostIPC: true
>>         hostNetwork: true
>>         hostPID: true
>>         restartPolicy: Always
>>         schedulerName: default-scheduler
>>         securityContext: {}
>>         serviceAccount: new-relic
>>         serviceAccountName: new-relic
>>         terminationGracePeriodSeconds: 30
>>         volumes:
>>         - name: newrelic-config
>>           secret:
>>             defaultMode: 420
>>             secretName: newrelic-config
>>         - hostPath:
>>             path: /dev
>>           name: dev
>>         - hostPath:
>>             path: /var/run/docker.sock
>>           name: run
>>         - hostPath:
>>             path: /sys
>>           name: sys
>>         - hostPath:
>>             path: /var/log
>>           name: log
>>     templateGeneration: 1
>>     updateStrategy:
>>       type: OnDelete
>>   status:
>>     currentNumberScheduled: 0
>>     desiredNumberScheduled: 0
>>     numberMisscheduled: 0
>>     numberReady: 0
>> kind: List
>> metadata: {}
>> resourceVersion: ""
>> selfLink: ""
>>
>>
>> *$ oc get scc*
>> ...[cut]
>> - allowHostDirVolumePlugin: true
>>   allowHostIPC: true
>>   allowHostNetwork: true
>>   allowHostPID: true
>>   allowHostPorts: true
>>   allowPrivilegedContainer: true
>>   allowedCapabilities:
>>   - '*'
>>   apiVersion: v1
>>   defaultAddCapabilities: []
>>   fsGroup:
>>     type: RunAsAny
>>   groups:
>>   - system:cluster-admins
>>   - system:nodes
>>   kind: SecurityContextConstraints
>>   metadata:
>>     annotations:
>>       kubernetes.io/description: 'privileged allows access to all
>> privileged and host
>>         features and the ability to run as any user, any group, any
>> fsGroup, and with
>>         any SELinux context.  WARNING: this is the most relaxed SCC and
>> should be
>>         used only for cluster administration. Grant with caution.'
>>     creationTimestamp: 2017-10-05T19:28:00Z
>>     name: privileged
>>     namespace: ""
>>     resourceVersion: "9278361"
>>     selfLink: /api/v1/securitycontextconstraints/privileged
>>     uid: 4cd4dab7-aa03-11e7-afc6-000af7b3f4a4
>>   priority: null
>>   readOnlyRootFilesystem: false
>>   requiredDropCapabilities: []
>>   runAsUser:
>>     type: RunAsAny
>>   seLinuxContext:
>>     type: RunAsAny
>>   seccompProfiles:
>>   - '*'
>>   supplementalGroups:
>>     type: RunAsAny
>>   users:
>>   - system:serviceaccount:openshift-infra:build-controller
>>   - system:serviceaccount:management-infra:management-admin
>>   - system:serviceaccount:management-infra:inspector-admin
>>   - system:serviceaccount:default:registry
>>   - system:serviceaccount:aws-logging-fluentd:aws-logging-fluentd
>>   - system:serviceaccount:logging-test-deploy:aws-logging-fluentd
>>   - system:serviceaccount:default:logging-newrelic
>>   - system:serviceaccount:default:default
>>
>> *  - system:serviceaccount:new-relic:default  -
>> system:serviceaccount:new-relic:new-relic*
>>   volumes:
>>   - '*'
>>
>> --
>> Mateus Caruccio / Master of Puppets
>> GetupCloud.com
>> We make the infrastructure invisible
>> Gartner Cool Vendor 2017
>> _______________________________________________
>> dev mailing list
>> dev@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>
>
_______________________________________________
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Reply via email to