Further more discussion here. https://github.com/kubernetes/kubernetes/issues/57378
On Tue, Dec 19, 2017 at 9:54 PM Jordan Liggitt <jligg...@redhat.com> wrote: > > On Dec 19, 2017, at 1:49 AM, Weiwei Jiang <wji...@redhat.com> wrote: > > > > But the scc is trying to verify the creater account(you can see this > with audit enabled), and should be daemonset-controller or something like > this but not the given serviceaccount). > > That's not accurate. You can give the SCC permissions to either the > creating user (in the case of a daemonset, this is the daemonset > controller) and/or to the service account of this pod. > > You should avoid giving SCC permissions to the pod creating > controllers, since that enables any user that can create a daemonset > to make use of those permissions via the controller. >
_______________________________________________ dev mailing list dev@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
