I'd like to continue this discussion because this broken configuration could be easily reproduced by following our own documentation:
https://docs.openshift.org/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile How we can fix this? Do we have a virtual group (like system:authenticated) that doesn't include any system-related users? In this case, we will be able to use such a group in the example above. 2018-05-17 15:15 GMT+02:00 Sam Padgett <[email protected]>: > The file mode is 400, and I think anyuid breaks reading it since the user > changes. > > https://github.com/openshift/openshift-ansible/blob/master/ > roles/openshift_web_console/files/console-template.yaml#L90 > > The console doesn't need anyuid... I'm not sure what's adding it. > > Sam > > On Thu, May 17, 2018 at 9:03 AM, Clayton Coleman <[email protected]> > wrote: > >> anyuid is less restrictive than restricted, unless you customized >> restricted. Did youvustomize restricted? >> >> On May 17, 2018, at 8:56 AM, Charles Moulliard <[email protected]> >> wrote: >> >> Hi, >> >> If we scale down/up the Replication Set of the OpenShift Web Console, >> then the new pod created will crash and report >> >> "Error: unable to load server certificate: open >> /var/serving-cert/tls.crt: permission denied" >> >> This problem comes from the fact that when the pod is recreated, then the >> scc annotation is set to anyuid instead of restricted and then the pod >> can't access the cert >> >> apiVersion: v1 >> kind: Pod >> metadata: >> annotations: >> openshift.io/scc: anyuid >> >> Is this bug been fixed for openshift 3.9 ? Is there a workaround to >> resolve it otherwise we can't access anymore the Web Console ? >> >> -- Slava Semushin | OpenShift
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
