Further more discussion here.

On Tue, Dec 19, 2017 at 9:54 PM Jordan Liggitt <jligg...@redhat.com> wrote:

> > On Dec 19, 2017, at 1:49 AM, Weiwei Jiang <wji...@redhat.com> wrote:
> >
> > But the scc is trying to verify the creater account(you can see this
> with audit enabled), and should be daemonset-controller or something like
> this but not the given serviceaccount).
> That's not accurate. You can give the SCC permissions to either the
> creating user (in the case of a daemonset, this is the daemonset
> controller) and/or to the service account of this pod.
> You should avoid giving SCC permissions to the pod creating
> controllers, since that enables any user that can create a daemonset
> to make use of those permissions via the controller.
dev mailing list

Reply via email to