Hi:
I think you make some misunderstanding with OpenShift.
Actually you create a daemonset with a specific serviceaccount you created
which is granted with the SCC privileged, right?
But the scc is trying to verify the creater account(you can see this with
audit enabled), and should be daemonset-controller or something like this
but not the given serviceaccount).
So you grant the new-relic account, but the creater is
daemonset-controller(just put it here, maybe this is also not the right
serviceaccount to create the target pod), so got this issue.
And back to your scenario, I have no better suggestion if you insistently
use daemonset to create the pod.
You can pick up the pod template from the daemonset to just create the pod
directly and grant the scc with your user(`oc whoami`) but will loss the
daemonset features.
Regards!
On Tue, Dec 19, 2017 at 3:01 AM Mateus Caruccio <
mateus.caruc...@getupcloud.com> wrote:
> There is this daemonset which needs host access. I've created a namespace,
> added `privileged` scc to a new serviceaccount and set pod to run with that
> SA.
>
> The problem is openshift is not applying the privileged SCC to my
> serviceAccount.
>
> *$ oc get ev*
> LASTSEEN FIRSTSEEN COUNT NAME KINDSUBOBJECT
> TYPE REASON SOURCE MESSAGE
> 17s17s 25newrelic-agent DaemonSet
> Warning FailedCreate daemon-set Error creating: pods
> "newrelic-agent-" is forbidden: unable to validate against any security
> context constraint: [provider restricted:
> .spec.securityContext.hostNetwork: Invalid value: true: Host network is not
> allowed to be used provider restricted: .spec.securityContext.hostPID:
> Invalid value: true: Host PID is not allowed to be used provider
> restricted: .spec.securityContext.hostIPC: Invalid value: true: Host IPC is
> not allowed to be used provider restricted:
> .spec.containers[0].securityContext.privileged: Invalid value: true:
> Privileged containers are not allowed provider restricted:
> .spec.containers[0].securityContext.volumes[1]: Invalid value: "hostPath":
> hostPath volumes are not allowed to be used provider restricted:
> .spec.containers[0].securityContext.volumes[2]: Invalid value: "hostPath":
> hostPath volumes are not allowed to be used provider restricted:
> .spec.containers[0].securityContext.volumes[3]: Invalid value: "hostPath":
> hostPath volumes are not allowed to be used provider restricted:
> .spec.containers[0].securityContext.volumes[4]: Invalid value: "hostPath":
> hostPath volumes are not allowed to be used provider restricted:
> .spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host
> network is not allowed to be used provider restricted:
> .spec.containers[0].securityContext.hostPID: Invalid value: true: Host PID
> is not allowed to be used provider restricted:
> .spec.containers[0].securityContext.hostIPC: Invalid value: true: Host IPC
> is not allowed to be used]
>
>
> This is my config:
>
>
> *$ oc version*
> oc v3.6.0+c4dd4cf
> kubernetes v1.6.1+5115d708d7
> features: Basic-Auth GSSAPI Kerberos SPNEGO
>
> Server https://[REDACTED]
> openshift v3.6.0+c4dd4cf
> kubernetes v1.6.1+5115d708d7
>
>
> *$ oc whoami*
> system:admin
>
>
> *$ oc get ds -o yaml -n new-relic*
> apiVersion: v1
> items:
> - apiVersion: extensions/v1beta1
> kind: DaemonSet
> metadata:
> creationTimestamp: 2017-12-18T18:20:42Z
> generation: 1
> labels:
> app: newrelic-agent
> tier: monitoring
> version: v1
> name: newrelic-agent
> namespace: new-relic
> resourceVersion: "9280118"
> selfLink:
> /apis/extensions/v1beta1/namespaces/new-relic/daemonsets/newrelic-agent
> uid: 286ed3c9-e420-11e7-aa46-000af7b3efa4
> spec:
> selector:
> matchLabels:
> name: newrelic
> template:
> metadata:
> creationTimestamp: null
> labels:
> name: newrelic
> spec:
> containers:
> - command:
> - bash
> - -c
> - source /etc/kube-newrelic/config && /usr/sbin/nrsysmond -E -F
> env:
> - name: NRSYSMOND_logfile
> value: /var/log/nrsysmond.log
> image: newrelic/nrsysmond
> imagePullPolicy: Always
> name: newrelic
> resources:
> requests:
> cpu: 150m
> securityContext:
> privileged: true
> terminationMessagePath: /dev/termination-log
> terminationMessagePolicy: File
> volumeMounts:
> - mountPath: /etc/kube-newrelic
> name: newrelic-config
> readOnly: true
> - mountPath: /dev
> name: dev
> - mountPath: /var/run/docker.sock
> name: run
> - mountPath: /sys
> name: sys
> - mountPath: /var/log
> name: log
> dnsPolicy: ClusterFirst
> hostIPC: true
> hostNetwork: