Makes sense. Thanks for your clarification ;) -- Mateus Caruccio / Master of Puppets GetupCloud.com We make the infrastructure invisible Gartner Cool Vendor 2017
2017-12-19 4:48 GMT-02:00 Weiwei Jiang <[email protected]>: > Hi: > > I think you make some misunderstanding with OpenShift. > > Actually you create a daemonset with a specific serviceaccount you created > which is granted with the SCC privileged, right? > But the scc is trying to verify the creater account(you can see this with > audit enabled), and should be daemonset-controller or something like this > but not the given serviceaccount). > So you grant the new-relic account, but the creater is > daemonset-controller(just put it here, maybe this is also not the right > serviceaccount to create the target pod), so got this issue. > > And back to your scenario, I have no better suggestion if you insistently > use daemonset to create the pod. > > You can pick up the pod template from the daemonset to just create the pod > directly and grant the scc with your user(`oc whoami`) but will loss the > daemonset features. > > > Regards! > > On Tue, Dec 19, 2017 at 3:01 AM Mateus Caruccio < > [email protected]> wrote: > >> There is this daemonset which needs host access. I've created a >> namespace, added `privileged` scc to a new serviceaccount and set pod to >> run with that SA. >> >> The problem is openshift is not applying the privileged SCC to my >> serviceAccount. >> >> *$ oc get ev* >> LASTSEEN FIRSTSEEN COUNT NAME KIND SUBOBJECT >> TYPE REASON SOURCE MESSAGE >> 17s 17s 25 newrelic-agent DaemonSet >> Warning FailedCreate daemon-set Error creating: pods >> "newrelic-agent-" is forbidden: unable to validate against any security >> context constraint: [provider restricted: .spec.securityContext.hostNetwork: >> Invalid value: true: Host network is not allowed to be used provider >> restricted: .spec.securityContext.hostPID: Invalid value: true: Host PID is >> not allowed to be used provider restricted: .spec.securityContext.hostIPC: >> Invalid value: true: Host IPC is not allowed to be used provider >> restricted: .spec.containers[0].securityContext.privileged: Invalid >> value: true: Privileged containers are not allowed provider restricted: >> .spec.containers[0].securityContext.volumes[1]: Invalid value: >> "hostPath": hostPath volumes are not allowed to be used provider >> restricted: .spec.containers[0].securityContext.volumes[2]: Invalid >> value: "hostPath": hostPath volumes are not allowed to be used provider >> restricted: .spec.containers[0].securityContext.volumes[3]: Invalid >> value: "hostPath": hostPath volumes are not allowed to be used provider >> restricted: .spec.containers[0].securityContext.volumes[4]: Invalid >> value: "hostPath": hostPath volumes are not allowed to be used provider >> restricted: .spec.containers[0].securityContext.hostNetwork: Invalid >> value: true: Host network is not allowed to be used provider restricted: >> .spec.containers[0].securityContext.hostPID: Invalid value: true: Host >> PID is not allowed to be used provider restricted: >> .spec.containers[0].securityContext.hostIPC: >> Invalid value: true: Host IPC is not allowed to be used] >> >> >> This is my config: >> >> >> *$ oc version* >> oc v3.6.0+c4dd4cf >> kubernetes v1.6.1+5115d708d7 >> features: Basic-Auth GSSAPI Kerberos SPNEGO >> >> Server https://[REDACTED] >> openshift v3.6.0+c4dd4cf >> kubernetes v1.6.1+5115d708d7 >> >> >> *$ oc whoami* >> system:admin >> >> >> *$ oc get ds -o yaml -n new-relic* >> apiVersion: v1 >> items: >> - apiVersion: extensions/v1beta1 >> kind: DaemonSet >> metadata: >> creationTimestamp: 2017-12-18T18:20:42Z >> generation: 1 >> labels: >> app: newrelic-agent >> tier: monitoring >> version: v1 >> name: newrelic-agent >> namespace: new-relic >> resourceVersion: "9280118" >> selfLink: /apis/extensions/v1beta1/namespaces/new-relic/ >> daemonsets/newrelic-agent >> uid: 286ed3c9-e420-11e7-aa46-000af7b3efa4 >> spec: >> selector: >> matchLabels: >> name: newrelic >> template: >> metadata: >> creationTimestamp: null >> labels: >> name: newrelic >> spec: >> containers: >> - command: >> - bash >> - -c >> - source /etc/kube-newrelic/config && /usr/sbin/nrsysmond -E -F >> env: >> - name: NRSYSMOND_logfile >> value: /var/log/nrsysmond.log >> image: newrelic/nrsysmond >> imagePullPolicy: Always >> name: newrelic >> resources: >> requests: >> cpu: 150m >> securityContext: >> privileged: true >> terminationMessagePath: /dev/termination-log >> terminationMessagePolicy: File >> volumeMounts: >> - mountPath: /etc/kube-newrelic >> name: newrelic-config >> readOnly: true >> - mountPath: /dev >> name: dev >> - mountPath: /var/run/docker.sock >> name: run >> - mountPath: /sys >> name: sys >> - mountPath: /var/log >> name: log >> dnsPolicy: ClusterFirst >> hostIPC: true >> hostNetwork: true >> hostPID: true >> restartPolicy: Always >> schedulerName: default-scheduler >> securityContext: {} >> serviceAccount: new-relic >> serviceAccountName: new-relic >> terminationGracePeriodSeconds: 30 >> volumes: >> - name: newrelic-config >> secret: >> defaultMode: 420 >> secretName: newrelic-config >> - hostPath: >> path: /dev >> name: dev >> - hostPath: >> path: /var/run/docker.sock >> name: run >> - hostPath: >> path: /sys >> name: sys >> - hostPath: >> path: /var/log >> name: log >> templateGeneration: 1 >> updateStrategy: >> type: OnDelete >> status: >> currentNumberScheduled: 0 >> desiredNumberScheduled: 0 >> numberMisscheduled: 0 >> numberReady: 0 >> kind: List >> metadata: {} >> resourceVersion: "" >> selfLink: "" >> >> >> *$ oc get scc* >> ...[cut] >> - allowHostDirVolumePlugin: true >> allowHostIPC: true >> allowHostNetwork: true >> allowHostPID: true >> allowHostPorts: true >> allowPrivilegedContainer: true >> allowedCapabilities: >> - '*' >> apiVersion: v1 >> defaultAddCapabilities: [] >> fsGroup: >> type: RunAsAny >> groups: >> - system:cluster-admins >> - system:nodes >> kind: SecurityContextConstraints >> metadata: >> annotations: >> kubernetes.io/description: 'privileged allows access to all >> privileged and host >> features and the ability to run as any user, any group, any >> fsGroup, and with >> any SELinux context. WARNING: this is the most relaxed SCC and >> should be >> used only for cluster administration. Grant with caution.' >> creationTimestamp: 2017-10-05T19:28:00Z >> name: privileged >> namespace: "" >> resourceVersion: "9278361" >> selfLink: /api/v1/securitycontextconstraints/privileged >> uid: 4cd4dab7-aa03-11e7-afc6-000af7b3f4a4 >> priority: null >> readOnlyRootFilesystem: false >> requiredDropCapabilities: [] >> runAsUser: >> type: RunAsAny >> seLinuxContext: >> type: RunAsAny >> seccompProfiles: >> - '*' >> supplementalGroups: >> type: RunAsAny >> users: >> - system:serviceaccount:openshift-infra:build-controller >> - system:serviceaccount:management-infra:management-admin >> - system:serviceaccount:management-infra:inspector-admin >> - system:serviceaccount:default:registry >> - system:serviceaccount:aws-logging-fluentd:aws-logging-fluentd >> - system:serviceaccount:logging-test-deploy:aws-logging-fluentd >> - system:serviceaccount:default:logging-newrelic >> - system:serviceaccount:default:default >> >> * - system:serviceaccount:new-relic:default - >> system:serviceaccount:new-relic:new-relic* >> volumes: >> - '*' >> >> -- >> Mateus Caruccio / Master of Puppets >> GetupCloud.com >> We make the infrastructure invisible >> Gartner Cool Vendor 2017 >> _______________________________________________ >> dev mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >> >
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
