Hi, This my SCC:
$ oc get scc NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY READONLYROOTFS VOLUMES anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny 10 false [configMap downwardAPI emptyDir persistentVolumeClaim secret] hostaccess false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir hostPath persistentVolumeClaim secret] hostmount-anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir hostPath nfs persistentVolumeClaim secret] hostnetwork false [] MustRunAs MustRunAsRange MustRunAs MustRunAs <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret] nonroot false [] MustRunAs MustRunAsNonRoot RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret] privileged true [] RunAsAny RunAsAny RunAsAny RunAsAny <none> false [*] restricted false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret] I see that hostaccess, hostmount-anyuid and privileged have access to hostPath volume. I've removed all SCC from admin user and default SA: $ oc adm policy remove-scc-from-user anyuid -z default -n openshift-infra $ oc adm policy remove-scc-from-user hostaccess -z default -n openshift-infra $ oc adm policy remove-scc-from-user hostmount-anyuid -z default -n openshift-infra $ oc adm policy remove-scc-from-user hostnetwork -z default -n openshift-infra $ oc adm policy remove-scc-from-user nonroot -z default -n openshift-infra $ oc adm policy remove-scc-from-user privileged -z default -n openshift-infra $ oc adm policy remove-scc-from-user restricted -z default -n openshift-infra $ oc adm policy remove-scc-from-user anyuid admin -n openshift-infra $ oc adm policy remove-scc-from-user hostaccess admin -n openshift-infra $ oc adm policy remove-scc-from-user hostmount-anyuid admin -n openshift-infra $ oc adm policy remove-scc-from-user hostnetwork admin -n openshift-infra $ oc adm policy remove-scc-from-user nonroot admin -n openshift-infra $ oc adm policy remove-scc-from-user privileged admin -n openshift-infra $ oc adm policy remove-scc-from-user restricted admin -n openshift-infra $ oc adm policy add-scc-to-user privileged admin -n openshift-infra $ oc adm policy add-scc-to-user privileged -z default -n openshift-infra Now I add privileged SCC to admin user and default SA: $ oc adm policy add-scc-to-user privileged admin -n openshift-infra $ oc adm policy add-scc-to-user privileged -z default -n openshift-infra My replication controller file: https://gist.github.com/harobed/76dc697e1658afd934c107aadc4f09a6 Next, I create ReplicationController: $ oc delete rc hawkular-cassandra-1 $ oc delete event --all $ oc apply -n openshift-infra -f replicationcontrollers.yaml $ oc get events FIRSTSEEN LASTSEEN COUNT NAME KIND SUBOBJECT TYPE REASON SOURCE MESSAGE 3d 3d 4 hawkular-cassandra-1 ReplicationController Warning FailedCreate {replication-controller } Error creating: pods "hawkular-cassandra-1-" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used] Why ? I set policy on bad user ? Is it this bug? https://github.com/openshift/origin/issues/11153 Best regards, Stéphane -- Stéphane Klein <[email protected]> blog: http://stephane-klein.info cv : http://cv.stephane-klein.info Twitter: http://twitter.com/klein_stephane
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
