On May 18, 2016, at 5:26 PM, Alan Jones <[email protected]> wrote: > oadm policy ... -z default In the version of openshift origin I'm using the oadm command doesn't take '-z'. Can you fill in the dot, dot, dot for me? I'm trying to grant permission for host volume access for a pod created by the replication controller which was submitted with node credentials to the API server. Here is my latest failed attempt to try to follow your advice: oadm policy add-scc-to-group hostmount-anyuid system:serviceaccount:default Again, this would be much easier if I could get logs for what group and user it is evaluating when it fails. Alan
system:serviceaccount:NAMESPACE:default Since policy is global, you have to identify which namespace/project contains the "default" service account (service accounts are scoped to a project). On Tue, May 17, 2016 at 5:46 PM, Clayton Coleman <[email protected]> wrote: > You need to grant the permission to a service account for the pod (which > is "default" if you don't fill in the field). The replication controller's > SA is not checked. > > oadm policy ... -z default > > On May 17, 2016, at 8:39 PM, Alan Jones <[email protected]> wrote: > > I tried that: > oadm policy add-acc-to-user hostmount-anyuid system:serviceaccount: > openshift-infra:replication-controller > ... and I still get the error. > Is there any way to get the user name/group that fails authentication? > Alan > > On Tue, May 17, 2016 at 9:33 AM, Clayton Coleman <[email protected]> > wrote: > >> anyuid doesn't grant hostPath, since that's a much more dangerous >> permission. You want grant hostmount-anyuid >> >> On Tue, May 17, 2016 at 11:44 AM, Alan Jones <[email protected]> wrote: >> > I have several containers that we run using K8 that require host volume >> > access. >> > For example, I have a container called "evdispatch-v1" that I'm trying >> to >> > launch in a replication controller and get the below error. >> > Following an example from "Enable Dockerhub Images that Require Root" in >> > ( >> https://docs.openshift.org/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile >> ) >> > I tried: >> > oadm policy add-scc-to-user anyuid >> > system:serviceaccount:openshift-infra:replication-controller >> > But still get the error. >> > Do you know what I need to do? >> > Who knows more about this stuff? >> > Alan >> > --- >> > WARNING evdispatch-v1 49e7ac4e-1bae-11e6-88c0-080027767789 >> > ReplicationController replication-controller FailedCreate >> > Error creating: pods "evdispatch-v1-" is forbidden: unable to validate >> > against any security context constraint: >> > [spec.containers[0].securityContext.volumes[0]: Invalid value: >> "hostPath": >> > hostPath volumes are not allowed to be used >> > spec.containers[0].securityContext.volumes[0]: Invalid value: >> "hostPath": >> > hostPath volumes are not allowed to be used] >> > >> > _______________________________________________ >> > users mailing list >> > [email protected] >> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> > >> > >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
