Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-23 Thread Vyacheslav Semushin 
2018-05-17 17:18 GMT+02:00 Charles Moulliard :

> The trick / solution  described there doesn t work. I tried also using the
> ansible playbook of Openshift to remove the project and recreate it and the
> pod is always recreated with Openshift annotation = anyuid
>

The reason of why "anyuid" SCC is being applied is because it was granted
to all authenticated users. And because anyuid has priority 10, it gets
applied instead of "restricted" SCC.


-- 
Slava Semushin | OpenShift
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

CentOS PaaS SIG meeting (2018-05-23

2018-05-23 Thread Ricardo Martinelli de Oliveira 
Hello,
It's time for our weekly PaaS SIG sync-up meeting

Time: 1700 UTC - Wedensdays (date -d "1700 UTC")
Date: Today Wedensday, 23 May 2018
Where: IRC- Freenode - #centos-devel

Agenda:
- OpenShift Current Status
-- rpms
-- automation
- Open Floor

-- 
Ricardo Martinelli de Oliveira
Senior Software Engineer
T: +55 11 3524-6125 <+55%2011%203524-6126> | M: +55 11 9 7069-6531
Av. Brigadeiro Faria Lima 3900, 8° Andar. São Paulo, Brasil

.

TRIED. TESTED. TRUSTED. 

 Red Hat é reconhecida entre as melhores empresas para trabalhar no Brasil
pelo *Great Place to Work*.
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-23 Thread Daniel Comnea 
On Wed, May 23, 2018 at 5:20 PM, Vyacheslav Semushin 
wrote:

> 2018-05-17 17:18 GMT+02:00 Charles Moulliard :
>
>> The trick / solution  described there doesn t work. I tried also using
>> the ansible playbook of Openshift to remove the project and recreate it and
>> the pod is always recreated with Openshift annotation = anyuid
>>
>
> The reason of why "anyuid" SCC is being applied is because it was granted
> to all authenticated users. And because anyuid has priority 10, it gets
> applied instead of "restricted" SCC.
>
[DC]: how do you know about anyuid and priority 10? In other words how can
i find out each scc what priority has ?

>
>
> --
> Slava Semushin | OpenShift
>
> ___
> dev mailing list
> dev@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

openshift-ansible candidate for origin 3.7 and 3.9

2018-05-23 Thread Ricardo Martinelli de Oliveira 
Hello,

The CentOS PaaS SIG team (thanks DanyC_) has finished the build for
openshift-ansible rpms for 3.7/ 3.8 & 3.9 latest tags. The rpms should
already be in the -candidate repo.

As the SIG is transitioning to new members, we are all working on learning
the process to build the rpms and make sure they are available in the
CentOS repositories. Having that said, we kindly ask everyone to test the
rpms and send us feedback so we can improve the quality of our work.

You can find below the packages for each version:

https://cbs.centos.org/repos/paas7-openshift-origin39-candidate/x86_64/os/Packages/
https://cbs.centos.org/repos/paas7-openshift-origin38-candidate/x86_64/os/Packages/
https://cbs.centos.org/repos/paas7-openshift-origin37-candidate/x86_64/os/Packages/

Thanks in advance,

-- 
Ricardo Martinelli de Oliveira
Senior Software Engineer
T: +55 11 3524-6125 <+55%2011%203524-6126> | M: +55 11 9 7069-6531
Av. Brigadeiro Faria Lima 3900, 8° Andar. São Paulo, Brasil

.

TRIED. TESTED. TRUSTED. 

 Red Hat é reconhecida entre as melhores empresas para trabalhar no Brasil
pelo *Great Place to Work*.
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Custom SCC assigned to wrong pods

2018-05-23 Thread Daniel Comnea 
Hi,

I'm running Origin 3.7.0 and i've created a custom SCC [1] which is being
referenced by different Deployments objects using serviceAccountName: foo-
scc-restricted.

Now the odd thing which i cannot explain is why glusterFS pods [2] which
doesn't reference the new created serviceAccountName [3] do have the new
custom scc being used [4]...is that normal or is a bug?



Cheers,
Dani

[1] https://gist.github.com/DanyC97/56070e3f1523e31c1ad96980df6d7fe5
[2] https://gist.github.com/DanyC97/6b7a15ed8de87951cee6d038646e0918
[3] https://gist.github.com/DanyC97/6b7a15ed8de87951cee6d038646e0918#file-
glusterfs-deployment-yml-L65
[4] https://gist.github.com/DanyC97/6b7a15ed8de87951cee6d038646e0918#file-
glusterfs-deployment-yml-L11
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: Custom SCC assigned to wrong pods

2018-05-23 Thread Jordan Liggitt 
By making your SCC available to all authenticated users, it gets added to
the set considered for every pod run by every service account:

users:
- system:serviceaccount:foo:foo-sa
groups:
- system:authenticated


If you want to limit it to just your foo-sa service account, you should
remove the system:authenticated group from the SCC



On Wed, May 23, 2018 at 5:54 PM, Daniel Comnea 
wrote:

> Hi,
>
> I'm running Origin 3.7.0 and i've created a custom SCC [1] which is being
> referenced by different Deployments objects using serviceAccountName: foo-
> scc-restricted.
>
> Now the odd thing which i cannot explain is why glusterFS pods [2] which
> doesn't reference the new created serviceAccountName [3] do have the new
> custom scc being used [4]...is that normal or is a bug?
>
>
>
> Cheers,
> Dani
>
> [1] https://gist.github.com/DanyC97/56070e3f1523e31c1ad96980df6d7fe5
> [2] https://gist.github.com/DanyC97/6b7a15ed8de87951cee6d038646e0918
> [3] https://gist.github.com/DanyC97/6b7a15ed8de87951cee6d038646e0918#file-
> glusterfs-deployment-yml-L65
> [4] https://gist.github.com/DanyC97/6b7a15ed8de87951cee6d038646e0918#file-
> glusterfs-deployment-yml-L11
>
> ___
> dev mailing list
> dev@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: Custom SCC assigned to wrong pods

2018-05-23 Thread Daniel Comnea 
I see the rational, thank you for quick response and knowledge.

On Wed, May 23, 2018 at 10:59 PM, Jordan Liggitt 
wrote:

> By making your SCC available to all authenticated users, it gets added to
> the set considered for every pod run by every service account:
>
> users:
> - system:serviceaccount:foo:foo-sa
> groups:
> - system:authenticated
>
>
> If you want to limit it to just your foo-sa service account, you should
> remove the system:authenticated group from the SCC
>
>
>
> On Wed, May 23, 2018 at 5:54 PM, Daniel Comnea 
> wrote:
>
>> Hi,
>>
>> I'm running Origin 3.7.0 and i've created a custom SCC [1] which is
>> being referenced by different Deployments objects using
>> serviceAccountName: foo-scc-restricted.
>>
>> Now the odd thing which i cannot explain is why glusterFS pods [2] which
>> doesn't reference the new created serviceAccountName [3] do have the new
>> custom scc being used [4]...is that normal or is a bug?
>>
>>
>>
>> Cheers,
>> Dani
>>
>> [1] https://gist.github.com/DanyC97/56070e3f1523e31c1ad96980df6d7fe5
>> [2] https://gist.github.com/DanyC97/6b7a15ed8de87951cee6d038646e0918
>> [3] https://gist.github.com/DanyC97/6b7a15ed8de87951cee6d038646e
>> 0918#file-glusterfs-deployment-yml-L65
>> [4] https://gist.github.com/DanyC97/6b7a15ed8de87951cee6d038646e
>> 0918#file-glusterfs-deployment-yml-L11
>>
>> ___
>> dev mailing list
>> dev@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>
>>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev