> On Dec 19, 2017, at 1:49 AM, Weiwei Jiang <wji...@redhat.com> wrote:
> But the scc is trying to verify the creater account(you can see this with 
> audit enabled), and should be daemonset-controller or something like this but 
> not the given serviceaccount).

That's not accurate. You can give the SCC permissions to either the
creating user (in the case of a daemonset, this is the daemonset
controller) and/or to the service account of this pod.

You should avoid giving SCC permissions to the pod creating
controllers, since that enables any user that can create a daemonset
to make use of those permissions via the controller.

dev mailing list

Reply via email to