Security-wise, there is little difference between allowing every service account named "default", and just allowing all service accounts to use that SCC (which you can do by allowing the group system:serviceaccounts). Either one gives access to hostmounts to any user able to create pods/replicationcontrollers/deploymentconfigs.
On Mon, Feb 15, 2016 at 11:26 AM, David Strejc <[email protected]> wrote: > Is it possible to add "default" service account this scc for every project > - I mean those I will create in future. > > Now I need to add this scc for project I've created ex post. > > David Strejc > t: +420734270131 > e: [email protected] > > On Mon, Feb 15, 2016 at 4:44 PM, David Strejc <[email protected]> > wrote: > >> Many thanks I will do that. >> >> David Strejc >> t: +420734270131 >> e: [email protected] >> >> On Mon, Feb 15, 2016 at 4:35 PM, Jordan Liggitt <[email protected]> >> wrote: >> >>> For deploymentconfigs/replicationcontrollers, you *have* to authorize >>> the service account... your original user isn't around any more, so the >>> service account is all the API has to go on to allow the pod to use host >>> volumes. >>> >>> On Mon, Feb 15, 2016 at 10:26 AM, David Strejc <[email protected]> >>> wrote: >>> >>>> Any idea anybody? >>>> >>>> David Strejc >>>> t: +420734270131 >>>> e: [email protected] >>>> >>>> On Mon, Feb 15, 2016 at 7:53 AM, David Strejc <[email protected]> >>>> wrote: >>>> >>>>> I am still gettting same message. >>>>> >>>>> I don't want to use service account - I am using account "david" which >>>>> has been added to privileged scc previously. >>>>> I've also gave policy hostaccess to this account. >>>>> >>>>> I need to start my pods with mounted socket from Node. It works when I >>>>> create Pod from pod definition pod.yaml: >>>>> >>>>> apiVersion: v1 >>>>> kind: Pod >>>>> metadata: >>>>> name: david >>>>> labels: >>>>> name: david >>>>> spec: >>>>> containers: >>>>> #- image: davidstrejc/test2 >>>>> - image: davidstrejc/test2 >>>>> name: david >>>>> volumeMounts: >>>>> - mountPath: /var/lib/mysql/mysql.sock >>>>> name: test-volume >>>>> ports: >>>>> - containerPort: 80 >>>>> volumes: >>>>> - name: test-volume >>>>> hostPath: >>>>> path: /var/lib/mysql/mysql.sock >>>>> selector: >>>>> name: david >>>>> >>>>> >>>>> But when I use template with same account it fails with message I >>>>> wrote. >>>>> >>>>> David Strejc >>>>> t: +420734270131 >>>>> e: [email protected] >>>>> >>>>> On Fri, Feb 12, 2016 at 3:35 PM, Clayton Coleman <[email protected]> >>>>> wrote: >>>>> >>>>>> >>>>>> https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#security-context-constraints >>>>>> >>>>>> Your service account isn't authorized to mount host paths - you want >>>>>> to add the service account "default" in project to the hostaccess SCC >>>>>> >>>>>> oadm policy add-scc-to-user hostaccess -z default >>>>>> >>>>>> That allows your pod to mount host volumes. >>>>>> >>>>>> On Feb 12, 2016, at 8:38 AM, David Strejc <[email protected]> >>>>>> wrote: >>>>>> >>>>>> Dear all, >>>>>> >>>>>> I got following error when I try to start application from template: >>>>>> >>>>>> Error creating: Pod "cakephp-example-1-" is forbidden: unable to >>>>>> validate against any security context constraint: >>>>>> [spec.containers[0].securityContext.volumeMounts: invalid value >>>>>> 'test-volume', Details: Host Volumes are not allowed to be used] (9 times >>>>>> in the last 2 minutes, 52 seconds) >>>>>> >>>>>> I've added: >>>>>> >>>>>> securityContext: >>>>>> privileged: true >>>>>> >>>>>> into template DeploymentConfig definition and user who is creating >>>>>> app from template is in privileged scc group. >>>>>> >>>>>> What am I doing wrong? >>>>>> >>>>>> David Strejc >>>>>> t: +420734270131 >>>>>> e: [email protected] >>>>>> >>>>>> _______________________________________________ >>>>>> users mailing list >>>>>> [email protected] >>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>> >>>>>> >>>>> >>>> >>>> _______________________________________________ >>>> users mailing list >>>> [email protected] >>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>> >>>> >>> >> >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
