Re: SCC privileged not applying
Further more discussion here. https://github.com/kubernetes/kubernetes/issues/57378 On Tue, Dec 19, 2017 at 9:54 PM Jordan Liggittwrote: > > On Dec 19, 2017, at 1:49 AM, Weiwei Jiang wrote: > > > > But the scc is trying to verify the creater account(you can see this > with audit enabled), and should be daemonset-controller or something like > this but not the given serviceaccount). > > That's not accurate. You can give the SCC permissions to either the > creating user (in the case of a daemonset, this is the daemonset > controller) and/or to the service account of this pod. > > You should avoid giving SCC permissions to the pod creating > controllers, since that enables any user that can create a daemonset > to make use of those permissions via the controller. > ___ dev mailing list dev@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
Re: SCC privileged not applying
> On Dec 19, 2017, at 1:49 AM, Weiwei Jiangwrote: > > But the scc is trying to verify the creater account(you can see this with > audit enabled), and should be daemonset-controller or something like this but > not the given serviceaccount). That's not accurate. You can give the SCC permissions to either the creating user (in the case of a daemonset, this is the daemonset controller) and/or to the service account of this pod. You should avoid giving SCC permissions to the pod creating controllers, since that enables any user that can create a daemonset to make use of those permissions via the controller. ___ dev mailing list dev@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
Re: SCC privileged not applying
Makes sense. Thanks for your clarification ;) -- Mateus Caruccio / Master of Puppets GetupCloud.com We make the infrastructure invisible Gartner Cool Vendor 2017 2017-12-19 4:48 GMT-02:00 Weiwei Jiang <wji...@redhat.com>: > Hi: > > I think you make some misunderstanding with OpenShift. > > Actually you create a daemonset with a specific serviceaccount you created > which is granted with the SCC privileged, right? > But the scc is trying to verify the creater account(you can see this with > audit enabled), and should be daemonset-controller or something like this > but not the given serviceaccount). > So you grant the new-relic account, but the creater is > daemonset-controller(just put it here, maybe this is also not the right > serviceaccount to create the target pod), so got this issue. > > And back to your scenario, I have no better suggestion if you insistently > use daemonset to create the pod. > > You can pick up the pod template from the daemonset to just create the pod > directly and grant the scc with your user(`oc whoami`) but will loss the > daemonset features. > > > Regards! > > On Tue, Dec 19, 2017 at 3:01 AM Mateus Caruccio < > mateus.caruc...@getupcloud.com> wrote: > >> There is this daemonset which needs host access. I've created a >> namespace, added `privileged` scc to a new serviceaccount and set pod to >> run with that SA. >> >> The problem is openshift is not applying the privileged SCC to my >> serviceAccount. >> >> *$ oc get ev* >> LASTSEEN FIRSTSEEN COUNT NAME KINDSUBOBJECT >> TYPE REASON SOURCE MESSAGE >> 17s17s 25newrelic-agent DaemonSet >> Warning FailedCreate daemon-set Error creating: pods >> "newrelic-agent-" is forbidden: unable to validate against any security >> context constraint: [provider restricted: .spec.securityContext.hostNetwork: >> Invalid value: true: Host network is not allowed to be used provider >> restricted: .spec.securityContext.hostPID: Invalid value: true: Host PID is >> not allowed to be used provider restricted: .spec.securityContext.hostIPC: >> Invalid value: true: Host IPC is not allowed to be used provider >> restricted: .spec.containers[0].securityContext.privileged: Invalid >> value: true: Privileged containers are not allowed provider restricted: >> .spec.containers[0].securityContext.volumes[1]: Invalid value: >> "hostPath": hostPath volumes are not allowed to be used provider >> restricted: .spec.containers[0].securityContext.volumes[2]: Invalid >> value: "hostPath": hostPath volumes are not allowed to be used provider >> restricted: .spec.containers[0].securityContext.volumes[3]: Invalid >> value: "hostPath": hostPath volumes are not allowed to be used provider >> restricted: .spec.containers[0].securityContext.volumes[4]: Invalid >> value: "hostPath": hostPath volumes are not allowed to be used provider >> restricted: .spec.containers[0].securityContext.hostNetwork: Invalid >> value: true: Host network is not allowed to be used provider restricted: >> .spec.containers[0].securityContext.hostPID: Invalid value: true: Host >> PID is not allowed to be used provider restricted: >> .spec.containers[0].securityContext.hostIPC: >> Invalid value: true: Host IPC is not allowed to be used] >> >> >> This is my config: >> >> >> *$ oc version* >> oc v3.6.0+c4dd4cf >> kubernetes v1.6.1+5115d708d7 >> features: Basic-Auth GSSAPI Kerberos SPNEGO >> >> Server https://[REDACTED] >> openshift v3.6.0+c4dd4cf >> kubernetes v1.6.1+5115d708d7 >> >> >> *$ oc whoami* >> system:admin >> >> >> *$ oc get ds -o yaml -n new-relic* >> apiVersion: v1 >> items: >> - apiVersion: extensions/v1beta1 >> kind: DaemonSet >> metadata: >> creationTimestamp: 2017-12-18T18:20:42Z >> generation: 1 >> labels: >> app: newrelic-agent >> tier: monitoring >> version: v1 >> name: newrelic-agent >> namespace: new-relic >> resourceVersion: "9280118" >> selfLink: /apis/extensions/v1beta1/namespaces/new-relic/ >> daemonsets/newrelic-agent >> uid: 286ed3c9-e420-11e7-aa46-000af7b3efa4 >> spec: >> selector: >> matchLabels: >> name: newrelic >> template: >> metadata: >> creationTimestamp: null >> labels: >> name: newrelic >> spec: >> containers: >>
SCC privileged not applying
There is this daemonset which needs host access. I've created a namespace, added `privileged` scc to a new serviceaccount and set pod to run with that SA. The problem is openshift is not applying the privileged SCC to my serviceAccount. *$ oc get ev* LASTSEEN FIRSTSEEN COUNT NAME KINDSUBOBJECT TYPE REASON SOURCE MESSAGE 17s17s 25newrelic-agent DaemonSet Warning FailedCreate daemon-set Error creating: pods "newrelic-agent-" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used provider restricted: .spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used provider restricted: .spec.securityContext.hostIPC: Invalid value: true: Host IPC is not allowed to be used provider restricted: .spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed provider restricted: .spec.containers[0].securityContext.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used provider restricted: .spec.containers[0].securityContext.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used provider restricted: .spec.containers[0].securityContext.volumes[3]: Invalid value: "hostPath": hostPath volumes are not allowed to be used provider restricted: .spec.containers[0].securityContext.volumes[4]: Invalid value: "hostPath": hostPath volumes are not allowed to be used provider restricted: .spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used provider restricted: .spec.containers[0].securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used provider restricted: .spec.containers[0].securityContext.hostIPC: Invalid value: true: Host IPC is not allowed to be used] This is my config: *$ oc version* oc v3.6.0+c4dd4cf kubernetes v1.6.1+5115d708d7 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://[REDACTED] openshift v3.6.0+c4dd4cf kubernetes v1.6.1+5115d708d7 *$ oc whoami* system:admin *$ oc get ds -o yaml -n new-relic* apiVersion: v1 items: - apiVersion: extensions/v1beta1 kind: DaemonSet metadata: creationTimestamp: 2017-12-18T18:20:42Z generation: 1 labels: app: newrelic-agent tier: monitoring version: v1 name: newrelic-agent namespace: new-relic resourceVersion: "9280118" selfLink: /apis/extensions/v1beta1/namespaces/new-relic/daemonsets/newrelic-agent uid: 286ed3c9-e420-11e7-aa46-000af7b3efa4 spec: selector: matchLabels: name: newrelic template: metadata: creationTimestamp: null labels: name: newrelic spec: containers: - command: - bash - -c - source /etc/kube-newrelic/config && /usr/sbin/nrsysmond -E -F env: - name: NRSYSMOND_logfile value: /var/log/nrsysmond.log image: newrelic/nrsysmond imagePullPolicy: Always name: newrelic resources: requests: cpu: 150m securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /etc/kube-newrelic name: newrelic-config readOnly: true - mountPath: /dev name: dev - mountPath: /var/run/docker.sock name: run - mountPath: /sys name: sys - mountPath: /var/log name: log dnsPolicy: ClusterFirst hostIPC: true hostNetwork: true hostPID: true restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: new-relic serviceAccountName: new-relic terminationGracePeriodSeconds: 30 volumes: - name: newrelic-config secret: defaultMode: 420 secretName: newrelic-config - hostPath: path: /dev name: dev - hostPath: path: /var/run/docker.sock name: run - hostPath: path: /sys name: sys - hostPath: path: /var/log name: log templateGeneration: 1 updateStrategy: type: OnDelete status: currentNumberScheduled: 0 desiredNumberScheduled: 0 numberMisscheduled: 0 numberReady: 0 kind: List metadata: {} resourceVersion: "" selfLink: "" *$ oc get scc* ...[cut] - allowHostDirVolumePlugin: true allowHostIPC: true allowHostNetwork: true allowHostPID: true allowHostPorts: true allowPrivileged