I think I'm making progress: oadm policy add-scc-to-user hostmount-anyuid system:serviceaccount:openshift-infra:default Now when I submit the replica set I get a different mount error that I think I understand. Note, the context I'm submitting the request in is using the node host certs under /openshift.local/config/<hostname> to the API server. There is no specified project. Thank you! Alan
On Wed, May 18, 2016 at 2:48 PM, Clayton Coleman <[email protected]> wrote: > > > On May 18, 2016, at 5:26 PM, Alan Jones <[email protected]> wrote: > > > oadm policy ... -z default > In the version of openshift origin I'm using the oadm command doesn't take > '-z'. > Can you fill in the dot, dot, dot for me? > I'm trying to grant permission for host volume access for a pod created by > the replication controller which was submitted with node credentials to the > API server. > Here is my latest failed attempt to try to follow your advice: > oadm policy add-scc-to-group hostmount-anyuid system:serviceaccount:default > Again, this would be much easier if I could get logs for what group and > user it is evaluating when it fails. > Alan > > > system:serviceaccount:NAMESPACE:default > > Since policy is global, you have to identify which namespace/project > contains the "default" service account (service accounts are scoped to a > project). > > > On Tue, May 17, 2016 at 5:46 PM, Clayton Coleman <[email protected]> > wrote: > >> You need to grant the permission to a service account for the pod (which >> is "default" if you don't fill in the field). The replication controller's >> SA is not checked. >> >> oadm policy ... -z default >> >> On May 17, 2016, at 8:39 PM, Alan Jones <[email protected]> wrote: >> >> I tried that: >> oadm policy add-acc-to-user hostmount-anyuid system:serviceaccount: >> openshift-infra:replication-controller >> ... and I still get the error. >> Is there any way to get the user name/group that fails authentication? >> Alan >> >> On Tue, May 17, 2016 at 9:33 AM, Clayton Coleman <[email protected]> >> wrote: >> >>> anyuid doesn't grant hostPath, since that's a much more dangerous >>> permission. You want grant hostmount-anyuid >>> >>> On Tue, May 17, 2016 at 11:44 AM, Alan Jones <[email protected]> >>> wrote: >>> > I have several containers that we run using K8 that require host volume >>> > access. >>> > For example, I have a container called "evdispatch-v1" that I'm trying >>> to >>> > launch in a replication controller and get the below error. >>> > Following an example from "Enable Dockerhub Images that Require Root" >>> in >>> > ( >>> https://docs.openshift.org/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile >>> ) >>> > I tried: >>> > oadm policy add-scc-to-user anyuid >>> > system:serviceaccount:openshift-infra:replication-controller >>> > But still get the error. >>> > Do you know what I need to do? >>> > Who knows more about this stuff? >>> > Alan >>> > --- >>> > WARNING evdispatch-v1 >>> 49e7ac4e-1bae-11e6-88c0-080027767789 >>> > ReplicationController replication-controller FailedCreate >>> > Error creating: pods "evdispatch-v1-" is forbidden: unable to validate >>> > against any security context constraint: >>> > [spec.containers[0].securityContext.volumes[0]: Invalid value: >>> "hostPath": >>> > hostPath volumes are not allowed to be used >>> > spec.containers[0].securityContext.volumes[0]: Invalid value: >>> "hostPath": >>> > hostPath volumes are not allowed to be used] >>> > >>> > _______________________________________________ >>> > users mailing list >>> > [email protected] >>> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> > >>> >> >> >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
