Re: SCC privileged not applying

2017-12-19 Thread Weiwei Jiang 
Further more discussion here.
https://github.com/kubernetes/kubernetes/issues/57378

On Tue, Dec 19, 2017 at 9:54 PM Jordan Liggitt  wrote:

> > On Dec 19, 2017, at 1:49 AM, Weiwei Jiang  wrote:
> >
> > But the scc is trying to verify the creater account(you can see this
> with audit enabled), and should be daemonset-controller or something like
> this but not the given serviceaccount).
>
> That's not accurate. You can give the SCC permissions to either the
> creating user (in the case of a daemonset, this is the daemonset
> controller) and/or to the service account of this pod.
>
> You should avoid giving SCC permissions to the pod creating
> controllers, since that enables any user that can create a daemonset
> to make use of those permissions via the controller.
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: SCC privileged not applying

2017-12-18 Thread Weiwei Jiang 
Hi:

I think you make some misunderstanding with OpenShift.

Actually you create a daemonset with a specific serviceaccount you created
which is granted with the SCC privileged, right?
But the scc is trying to verify the creater account(you can see this with
audit enabled), and should be daemonset-controller or something like this
but not the given serviceaccount).
So you grant the new-relic account, but the creater is
daemonset-controller(just put it here, maybe this is also not the right
serviceaccount to create the target pod), so got this issue.

And back to your scenario, I have no better suggestion if you insistently
use daemonset to create the pod.

You can pick up the pod template from the daemonset to just create the pod
directly and grant the scc with your user(`oc whoami`) but will loss the
daemonset features.


Regards!

On Tue, Dec 19, 2017 at 3:01 AM Mateus Caruccio <
mateus.caruc...@getupcloud.com> wrote:

> There is this daemonset which needs host access. I've created a namespace,
> added `privileged` scc to a new serviceaccount and set pod to run with that
> SA.
>
> The problem is openshift is not applying the privileged SCC to my
> serviceAccount.
>
> *$ oc get ev*
> LASTSEEN   FIRSTSEEN   COUNT NAME KINDSUBOBJECT
> TYPE  REASON SOURCE   MESSAGE
> 17s17s 25newrelic-agent   DaemonSet
> Warning   FailedCreate   daemon-set   Error creating: pods
> "newrelic-agent-" is forbidden: unable to validate against any security
> context constraint: [provider restricted:
> .spec.securityContext.hostNetwork: Invalid value: true: Host network is not
> allowed to be used provider restricted: .spec.securityContext.hostPID:
> Invalid value: true: Host PID is not allowed to be used provider
> restricted: .spec.securityContext.hostIPC: Invalid value: true: Host IPC is
> not allowed to be used provider restricted:
> .spec.containers[0].securityContext.privileged: Invalid value: true:
> Privileged containers are not allowed provider restricted:
> .spec.containers[0].securityContext.volumes[1]: Invalid value: "hostPath":
> hostPath volumes are not allowed to be used provider restricted:
> .spec.containers[0].securityContext.volumes[2]: Invalid value: "hostPath":
> hostPath volumes are not allowed to be used provider restricted:
> .spec.containers[0].securityContext.volumes[3]: Invalid value: "hostPath":
> hostPath volumes are not allowed to be used provider restricted:
> .spec.containers[0].securityContext.volumes[4]: Invalid value: "hostPath":
> hostPath volumes are not allowed to be used provider restricted:
> .spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host
> network is not allowed to be used provider restricted:
> .spec.containers[0].securityContext.hostPID: Invalid value: true: Host PID
> is not allowed to be used provider restricted:
> .spec.containers[0].securityContext.hostIPC: Invalid value: true: Host IPC
> is not allowed to be used]
>
>
> This is my config:
>
>
> *$ oc version*
> oc v3.6.0+c4dd4cf
> kubernetes v1.6.1+5115d708d7
> features: Basic-Auth GSSAPI Kerberos SPNEGO
>
> Server https://[REDACTED]
> openshift v3.6.0+c4dd4cf
> kubernetes v1.6.1+5115d708d7
>
>
> *$ oc whoami*
> system:admin
>
>
> *$ oc get ds -o yaml -n new-relic*
> apiVersion: v1
> items:
> - apiVersion: extensions/v1beta1
>   kind: DaemonSet
>   metadata:
> creationTimestamp: 2017-12-18T18:20:42Z
> generation: 1
> labels:
>   app: newrelic-agent
>   tier: monitoring
>   version: v1
> name: newrelic-agent
> namespace: new-relic
> resourceVersion: "9280118"
> selfLink:
> /apis/extensions/v1beta1/namespaces/new-relic/daemonsets/newrelic-agent
> uid: 286ed3c9-e420-11e7-aa46-000af7b3efa4
>   spec:
> selector:
>   matchLabels:
> name: newrelic
> template:
>   metadata:
> creationTimestamp: null
> labels:
>   name: newrelic
>   spec:
> containers:
> - command:
>   - bash
>   - -c
>   - source /etc/kube-newrelic/config && /usr/sbin/nrsysmond -E -F
>   env:
>   - name: NRSYSMOND_logfile
> value: /var/log/nrsysmond.log
>   image: newrelic/nrsysmond
>   imagePullPolicy: Always
>   name: newrelic
>   resources:
> requests:
>   cpu: 150m
>   securityContext:
> privileged: true
>   terminationMessagePath: /dev/termination-log
>   terminationMessagePolicy: File
>   volumeMounts:
>   - mountPath: /etc/kube-newrelic
> name: newrelic-config
> readOnly: true
>   - mountPath: /dev
> name: dev
>   - mountPath: /var/run/docker.sock
> name: run
>   - mountPath: /sys
> name: sys
>   - mountPath: /var/log
> name: log
> dnsPolicy: ClusterFirst
> hostIPC: true
> hostNetwork: