Yep, by enabling 'default' to run privileged as you described worked! Thanks Clayton,
- Luis ----- Original Message ----- From: "Luis Pabón" <[email protected]> To: "Clayton Coleman" <[email protected]> Cc: "users" <[email protected]>, "Erin Boyd" <[email protected]>, "Humble Chirammal" <[email protected]> Sent: Wednesday, May 18, 2016 3:38:18 PM Subject: Re: Seems privileged mode cannot be set in a template I think I am getting it now. So when I run: $ oc get serviceaccounts NAME SECRETS AGE builder 2 4h default 2 4h deployer 2 4h These accounts are the ones used for the replica deployment as shown in https://docs.openshift.com/enterprise/3.0/dev_guide/service_accounts.html. What I would need to do is create/enable a service account to run privileged replication/deployment, right? - Luis ----- Original Message ----- From: "Clayton Coleman" <[email protected]> To: "Luis Pabón" <[email protected]> Cc: "users" <[email protected]>, "Erin Boyd" <[email protected]>, "Humble Chirammal" <[email protected]> Sent: Wednesday, May 18, 2016 3:20:28 PM Subject: Re: Seems privileged mode cannot be set in a template A service account is not a user. A service account is its own concept. A service account already exists in each namespace - in this case, if you run "oc get service accounts" you'll see three (default, builder, and deployer). The pods that are created have a spec.serviceAccountName field which defaults to "default", and that is what is used to determine what the pod can do. On Wed, May 18, 2016 at 3:09 PM, Luis Pabón <[email protected]> wrote: > Thanks Clayton, but that did not work. These are the steps I took: > > 1. Create a user called test-admin: > oadm policy add-cluster-role-to-user cluster-admin test-admin \ > --config=openshift.local.config/master/admin.kubeconfig > > 2. Add privileged settings: > oc edit scc privileged > > 3. Add test-admin > users: > - system:serviceaccount:openshift-infra:build-controller > - test-admin > > 4. Create a pod with privileged mode -- Works > 5. Add a template which looks similar to the pod definition > 6. Deploy a container form the tempalte -- Doesn't deploy > > 7. Run: > oadm policy add-scc-to-user privileged -z test-admin > > 8. This added the line "- system:serviceaccount:test:test-admin" to scc > privileged > 9. Deploy a container from the template -- Doesn't deploy > > > Logs: > $ oc get pods > NAME READY STATUS RESTARTS AGE > heketi-1-deploy 0/1 Error 0 8m > > $ oc logs heketi-1-deploy > The output of the 'deploy' container is: > I0518 18:59:49.026072 1 deployer.go:199] Deploying test/heketi-1 for > the first time (replicas: 1) > I0518 18:59:49.029593 1 recreate.go:126] Scaling test/heketi-1 to 1 > before performing acceptance check > F0518 19:01:50.134899 1 deployer.go:69] couldn't scale test/heketi-1 to > 1: timed out waiting for the condition > > > Seems that it is not working. Maybe I have another configuration that I need > to setup? > > > > ----- Original Message ----- > From: "Clayton Coleman" <[email protected]> > To: "Luis Pabón" <[email protected]> > Cc: "users" <[email protected]>, "Erin Boyd" > <[email protected]>, "Humble Chirammal" <[email protected]> > Sent: Wednesday, May 18, 2016 2:47:04 PM > Subject: Re: Seems privileged mode cannot be set in a template > > You have to grant access to privileged to the service account in the > namespace - if you're running as cluster-admin, you can create > privileged pods, but a regular service account unless you add it: > > oadm policy add-scc-to-user privileged -z default > > where "default" is the service account that is used if you don't specify one. > > > On Wed, May 18, 2016 at 2:31 PM, Luis Pabón <[email protected]> wrote: >> >> >> Hi all, >> I am able to easily deploy a POD with privileged mode enabled in my >> openshift cluster. I am also able to deploy a non-privileged application >> from a service/deploymentConfig template. But, I am unable to create a >> template which deploys a POD with privileged mode enabled. Is this >> possible? Here is a sample template: >> >> { >> "kind": "Template", >> "apiVersion": "v1", >> "metadata": { >> "name": "heketi", >> "annotations": { >> "description": "Heketi application", >> "tags": "glusterfs,heketi" >> } >> }, >> "labels": { >> "template": "heketi" >> }, >> "objects": [ >> { >> "kind": "Service", >> "apiVersion": "v1", >> "metadata": { >> "name": "${NAME}", >> "annotations": { >> "description": "Exposes Heketi service" >> } >> }, >> "spec": { >> "ports": [ >> { >> "name": "rest-api", >> "port": 8080, >> "targetPort": 8080 >> } >> ], >> "selector": { >> "name": "${NAME}" >> } >> } >> }, >> { >> "kind": "DeploymentConfig", >> "apiVersion": "v1", >> "metadata": { >> "name": "${NAME}", >> "annotations": { >> "description": "Defines how to deploy Heketi" >> } >> }, >> "spec": { >> "replicas": 1, >> "selector": { >> "name": "${NAME}" >> }, >> "template": { >> "metadata": { >> "name": "${NAME}", >> "labels": { >> "name": "${NAME}" >> } >> }, >> "triggers": [ >> { >> "type": "ConfigChange" >> } >> ], >> "strategy": { >> "type": "Rolling" >> }, >> "spec": { >> "containers": [ >> { >> "securityContext" : { >> "capabilities" : {}, >> "privileged" : true >> }, >> "name": "heketi", >> "image": "heketi/heketi:dev", >> "ports": [ >> { >> "containerPort": 8080 >> } >> ], >> "volumeMounts": [ >> { >> "name": "db", >> "mountPath": "/var/lib/heketi" >> } >> ], >> "readinessProbe": { >> "timeoutSeconds": 3, >> "initialDelaySeconds": 3, >> "httpGet": { >> "path": "/hello", >> "port": 8080 >> } >> }, >> "livenessProbe": { >> "timeoutSeconds": 3, >> "initialDelaySeconds": 30, >> "httpGet": { >> "path": "/hello", >> "port": 8080 >> } >> } >> } >> ], >> "volumes": [ >> { >> "name": "db" >> } >> ] >> } >> } >> } >> } >> ], >> "parameters": [ >> { >> "name": "NAME", >> "displayName": "Name", >> "description": "The name assigned to all of the frontend objects >> defined in this template.", >> "required": true, >> "value": "heketi" >> } >> ] >> } >> >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
