I see the rational, thank you for quick response and knowledge. On Wed, May 23, 2018 at 10:59 PM, Jordan Liggitt <jligg...@redhat.com> wrote:
> By making your SCC available to all authenticated users, it gets added to > the set considered for every pod run by every service account: > > users: > - system:serviceaccount:foo:foo-sa > groups: > - system:authenticated > > > If you want to limit it to just your foo-sa service account, you should > remove the system:authenticated group from the SCC > > > > On Wed, May 23, 2018 at 5:54 PM, Daniel Comnea <comnea.d...@gmail.com> > wrote: > >> Hi, >> >> I'm running Origin 3.7.0 and i've created a custom SCC [1] which is >> being referenced by different Deployments objects using >> serviceAccountName: foo-scc-restricted. >> >> Now the odd thing which i cannot explain is why glusterFS pods [2] which >> doesn't reference the new created serviceAccountName [3] do have the new >> custom scc being used [4]...is that normal or is a bug? >> >> >> >> Cheers, >> Dani >> >> [1] https://gist.github.com/DanyC97/56070e3f1523e31c1ad96980df6d7fe5 >> [2] https://gist.github.com/DanyC97/6b7a15ed8de87951cee6d038646e0918 >> [3] https://gist.github.com/DanyC97/6b7a15ed8de87951cee6d038646e >> 0918#file-glusterfs-deployment-yml-L65 >> [4] https://gist.github.com/DanyC97/6b7a15ed8de87951cee6d038646e >> 0918#file-glusterfs-deployment-yml-L11 >> >> _______________________________________________ >> dev mailing list >> dev@lists.openshift.redhat.com >> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >> >> >
_______________________________________________ dev mailing list dev@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/dev