> On Dec 19, 2017, at 1:49 AM, Weiwei Jiang <wji...@redhat.com> wrote: > > But the scc is trying to verify the creater account(you can see this with > audit enabled), and should be daemonset-controller or something like this but > not the given serviceaccount).
That's not accurate. You can give the SCC permissions to either the creating user (in the case of a daemonset, this is the daemonset controller) and/or to the service account of this pod. You should avoid giving SCC permissions to the pod creating controllers, since that enables any user that can create a daemonset to make use of those permissions via the controller. _______________________________________________ dev mailing list dev@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/dev