Even if I add the webconsole ServiceAccount to scc anyuid, pod fails to start
https://gist.github.com/cmoulliard/f05b9bc762cbab9993087b1a44aa1331 On Thu, May 17, 2018 at 7:42 PM, Charles Moulliard <cmoul...@redhat.com> wrote: > Do you want that I create a ticket to report the error which is really > blocking/critical ? > > On Thu, May 17, 2018 at 5:20 PM, Charles Moulliard <cmoul...@redhat.com> > wrote: > >> Personaly no. Fyi web console was installed using Openshift ansible >> playbook >> >> On Thu, May 17, 2018, 15:03 Clayton Coleman <ccole...@redhat.com> wrote: >> >>> anyuid is less restrictive than restricted, unless you customized >>> restricted. Did youvustomize restricted? >>> >>> On May 17, 2018, at 8:56 AM, Charles Moulliard <cmoul...@redhat.com> >>> wrote: >>> >>> Hi, >>> >>> If we scale down/up the Replication Set of the OpenShift Web Console, >>> then the new pod created will crash and report >>> >>> "Error: unable to load server certificate: open >>> /var/serving-cert/tls.crt: permission denied" >>> >>> This problem comes from the fact that when the pod is recreated, then >>> the scc annotation is set to anyuid instead of restricted and then the pod >>> can't access the cert >>> >>> apiVersion: v1 >>> kind: Pod >>> metadata: >>> annotations: >>> openshift.io/scc: anyuid >>> >>> Is this bug been fixed for openshift 3.9 ? Is there a workaround to >>> resolve it otherwise we can't access anymore the Web Console ? >>> >>> Regards >>> >>> CHARLES MOULLIARD >>> >>> SOFTWARE ENGINEER MANAGER SPRING(BOOT) >>> >>> Red Hat <https://www.redhat.com/> >>> >>> cmoulli...@redhat.com M: +32-473-604014 >>> <https://red.ht/sig> >>> @cmoulliard <https://twitter.com/cmoulliard> >>> >>> _______________________________________________ >>> dev mailing list >>> dev@lists.openshift.redhat.com >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >>> >>> >
_______________________________________________ dev mailing list dev@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/dev