Re: SCC privileged not applying

[Weiwei Jiang]

Hi:

I think you make some misunderstanding with OpenShift.

Actually you create a daemonset with a specific serviceaccount you created
which is granted with the SCC privileged, right?
But the scc is trying to verify the creater account(you can see this with
audit enabled), and should be daemonset-controller or something like this
but not the given serviceaccount).
So you grant the new-relic account, but the creater is
daemonset-controller(just put it here, maybe this is also not the right
serviceaccount to create the target pod), so got this issue.

And back to your scenario, I have no better suggestion if you insistently
use daemonset to create the pod.

You can pick up the pod template from the daemonset to just create the pod
directly and grant the scc with your user(`oc whoami`) but will loss the
daemonset features.


Regards!

On Tue, Dec 19, 2017 at 3:01 AM Mateus Caruccio <
mateus.caruc...@getupcloud.com> wrote:

> There is this daemonset which needs host access. I've created a namespace,
> added `privileged` scc to a new serviceaccount and set pod to run with that
> SA.
>
> The problem is openshift is not applying the privileged SCC to my
> serviceAccount.
>
> *$ oc get ev*
> LASTSEEN   FIRSTSEEN   COUNT NAME KINDSUBOBJECT
> TYPE  REASON SOURCE   MESSAGE
> 17s17s 25newrelic-agent   DaemonSet
> Warning   FailedCreate   daemon-set   Error creating: pods
> "newrelic-agent-" is forbidden: unable to validate against any security
> context constraint: [provider restricted:
> .spec.securityContext.hostNetwork: Invalid value: true: Host network is not
> allowed to be used provider restricted: .spec.securityContext.hostPID:
> Invalid value: true: Host PID is not allowed to be used provider
> restricted: .spec.securityContext.hostIPC: Invalid value: true: Host IPC is
> not allowed to be used provider restricted:
> .spec.containers[0].securityContext.privileged: Invalid value: true:
> Privileged containers are not allowed provider restricted:
> .spec.containers[0].securityContext.volumes[1]: Invalid value: "hostPath":
> hostPath volumes are not allowed to be used provider restricted:
> .spec.containers[0].securityContext.volumes[2]: Invalid value: "hostPath":
> hostPath volumes are not allowed to be used provider restricted:
> .spec.containers[0].securityContext.volumes[3]: Invalid value: "hostPath":
> hostPath volumes are not allowed to be used provider restricted:
> .spec.containers[0].securityContext.volumes[4]: Invalid value: "hostPath":
> hostPath volumes are not allowed to be used provider restricted:
> .spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host
> network is not allowed to be used provider restricted:
> .spec.containers[0].securityContext.hostPID: Invalid value: true: Host PID
> is not allowed to be used provider restricted:
> .spec.containers[0].securityContext.hostIPC: Invalid value: true: Host IPC
> is not allowed to be used]
>
>
> This is my config:
>
>
> *$ oc version*
> oc v3.6.0+c4dd4cf
> kubernetes v1.6.1+5115d708d7
> features: Basic-Auth GSSAPI Kerberos SPNEGO
>
> Server https://[REDACTED]
> openshift v3.6.0+c4dd4cf
> kubernetes v1.6.1+5115d708d7
>
>
> *$ oc whoami*
> system:admin
>
>
> *$ oc get ds -o yaml -n new-relic*
> apiVersion: v1
> items:
> - apiVersion: extensions/v1beta1
>   kind: DaemonSet
>   metadata:
> creationTimestamp: 2017-12-18T18:20:42Z
> generation: 1
> labels:
>   app: newrelic-agent
>   tier: monitoring
>   version: v1
> name: newrelic-agent
> namespace: new-relic
> resourceVersion: "9280118"
> selfLink:
> /apis/extensions/v1beta1/namespaces/new-relic/daemonsets/newrelic-agent
> uid: 286ed3c9-e420-11e7-aa46-000af7b3efa4
>   spec:
> selector:
>   matchLabels:
> name: newrelic
> template:
>   metadata:
> creationTimestamp: null
> labels:
>   name: newrelic
>   spec:
> containers:
> - command:
>   - bash
>   - -c
>   - source /etc/kube-newrelic/config && /usr/sbin/nrsysmond -E -F
>   env:
>   - name: NRSYSMOND_logfile
> value: /var/log/nrsysmond.log
>   image: newrelic/nrsysmond
>   imagePullPolicy: Always
>   name: newrelic
>   resources:
> requests:
>   cpu: 150m
>   securityContext:
> privileged: true
>   terminationMessagePath: /dev/termination-log
>   terminationMessagePolicy: File
>   volumeMounts:
>   - mountPath: /etc/kube-newrelic
> name: newrelic-config
> readOnly: true
>   - mountPath: /dev
> name: dev
>   - mountPath: /var/run/docker.sock
> name: run
>   - mountPath: /sys
> name: sys
>   - mountPath: /var/log
> name: log
> dnsPolicy: ClusterFirst
> hostIPC: true
> hostNetwork:

SCC privileged not applying

[Mateus Caruccio]

There is this daemonset which needs host access. I've created a namespace,
added `privileged` scc to a new serviceaccount and set pod to run with that
SA.

The problem is openshift is not applying the privileged SCC to my
serviceAccount.

*$ oc get ev*
LASTSEEN   FIRSTSEEN   COUNT NAME KINDSUBOBJECT
TYPE  REASON SOURCE   MESSAGE
17s17s 25newrelic-agent   DaemonSet
Warning   FailedCreate   daemon-set   Error creating: pods
"newrelic-agent-" is forbidden: unable to validate against any security
context constraint: [provider restricted:
.spec.securityContext.hostNetwork: Invalid value: true: Host network is not
allowed to be used provider restricted: .spec.securityContext.hostPID:
Invalid value: true: Host PID is not allowed to be used provider
restricted: .spec.securityContext.hostIPC: Invalid value: true: Host IPC is
not allowed to be used provider restricted:
.spec.containers[0].securityContext.privileged: Invalid value: true:
Privileged containers are not allowed provider restricted:
.spec.containers[0].securityContext.volumes[1]: Invalid value: "hostPath":
hostPath volumes are not allowed to be used provider restricted:
.spec.containers[0].securityContext.volumes[2]: Invalid value: "hostPath":
hostPath volumes are not allowed to be used provider restricted:
.spec.containers[0].securityContext.volumes[3]: Invalid value: "hostPath":
hostPath volumes are not allowed to be used provider restricted:
.spec.containers[0].securityContext.volumes[4]: Invalid value: "hostPath":
hostPath volumes are not allowed to be used provider restricted:
.spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host
network is not allowed to be used provider restricted:
.spec.containers[0].securityContext.hostPID: Invalid value: true: Host PID
is not allowed to be used provider restricted:
.spec.containers[0].securityContext.hostIPC: Invalid value: true: Host IPC
is not allowed to be used]


This is my config:


*$ oc version*
oc v3.6.0+c4dd4cf
kubernetes v1.6.1+5115d708d7
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://[REDACTED]
openshift v3.6.0+c4dd4cf
kubernetes v1.6.1+5115d708d7


*$ oc whoami*
system:admin


*$ oc get ds -o yaml -n new-relic*
apiVersion: v1
items:
- apiVersion: extensions/v1beta1
  kind: DaemonSet
  metadata:
creationTimestamp: 2017-12-18T18:20:42Z
generation: 1
labels:
  app: newrelic-agent
  tier: monitoring
  version: v1
name: newrelic-agent
namespace: new-relic
resourceVersion: "9280118"
selfLink:
/apis/extensions/v1beta1/namespaces/new-relic/daemonsets/newrelic-agent
uid: 286ed3c9-e420-11e7-aa46-000af7b3efa4
  spec:
selector:
  matchLabels:
name: newrelic
template:
  metadata:
creationTimestamp: null
labels:
  name: newrelic
  spec:
containers:
- command:
  - bash
  - -c
  - source /etc/kube-newrelic/config && /usr/sbin/nrsysmond -E -F
  env:
  - name: NRSYSMOND_logfile
value: /var/log/nrsysmond.log
  image: newrelic/nrsysmond
  imagePullPolicy: Always
  name: newrelic
  resources:
requests:
  cpu: 150m
  securityContext:
privileged: true
  terminationMessagePath: /dev/termination-log
  terminationMessagePolicy: File
  volumeMounts:
  - mountPath: /etc/kube-newrelic
name: newrelic-config
readOnly: true
  - mountPath: /dev
name: dev
  - mountPath: /var/run/docker.sock
name: run
  - mountPath: /sys
name: sys
  - mountPath: /var/log
name: log
dnsPolicy: ClusterFirst
hostIPC: true
hostNetwork: true
hostPID: true
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: new-relic
serviceAccountName: new-relic
terminationGracePeriodSeconds: 30
volumes:
- name: newrelic-config
  secret:
defaultMode: 420
secretName: newrelic-config
- hostPath:
path: /dev
  name: dev
- hostPath:
path: /var/run/docker.sock
  name: run
- hostPath:
path: /sys
  name: sys
- hostPath:
path: /var/log
  name: log
templateGeneration: 1
updateStrategy:
  type: OnDelete
  status:
currentNumberScheduled: 0
desiredNumberScheduled: 0
numberMisscheduled: 0
numberReady: 0
kind: List
metadata: {}
resourceVersion: ""
selfLink: ""


*$ oc get scc*
...[cut]
- allowHostDirVolumePlugin: true
  allowHostIPC: true
  allowHostNetwork: true
  allowHostPID: true
  allowHostPorts: true
  allowPrivilegedContainer: true
  allowedCapabilities:
  - '*'
  apiVersion: v1
  defaultAddCapabilities: []
  fsGro

Re: Several questions about authorization

[Yu Wei]

The created user info is as below,

[root@host-10-1-236-92 ~]# oc describe user hello
Name:hello
Created:24 minutes ago
Labels:
Annotations:
Identities:allow_all:hello

Is the issue caused by allow_all?


Thanks,

Jared, (韦煜）
Software developer
Interested in open source software, big data, Linux


From: users-boun...@lists.openshift.redhat.com 
 on behalf of Yu Wei 

Sent: Monday, December 18, 2017 11:48:46 PM
To: Clayton Coleman
Cc: us...@lists.openshift.redhat.com; dev@lists.openshift.redhat.com
Subject: Re: Several questions about authorization


I guessed that some configurations was not proper.

When I create a new user, it is always added to project "aura" by default.

Cluster is setup on OpenShift Origin 3.6.

[root@host-10-1-236-92 ~]# oc describe project aura
Name:aura
Created:7 weeks ago
Labels:
Annotations:openshift.io/description=
openshift.io/display-name=
openshift.io/requester=aura
openshift.io/sa.scc.mcs=s0:c9,c4
openshift.io/sa.scc.supplemental-groups=18/1
openshift.io/sa.scc.uid-range=18/1
Display Name:
Description:
Status:Active
Node Selector:
Quota:
Resource limits:
[root@host-10-1-236-92 ~]# oc login
Authentication required for https://10.1.241.54:8443 (openshift)
Username: hello
Password:
Login successful.

You have one project on this server: "aura"

Using project "aura".

Where should I start to fix the problem? Any advice?


Thanks,

Jared, (韦煜）
Software developer
Interested in open source software, big data, Linux


From: Clayton Coleman 
Sent: Monday, December 18, 2017 10:41:30 PM
To: Yu Wei
Cc: us...@lists.openshift.redhat.com; dev@lists.openshift.redhat.com
Subject: Re: Several questions about authorization



On Mon, Dec 18, 2017 at 5:17 AM, Yu Wei 
mailto:yu20...@hotmail.com>> wrote:

Hi,

I have several questions about user and authorization management.

1, How could I remove user from project?



[root@host-10-1-236-92 gpu-test]# oc login -u test1 -p test1
Login successful.

You have access to the following projects and can switch between them with 'oc 
project ':

  * aura
test1

Using project "aura".
[root@host-10-1-236-92 gpu-test]# oc project aura
Already on project "aura" on server "https://10.1.241.54:8443";.
[root@host-10-1-236-92 gpu-test]# oc get rolebindings
Error from server (Forbidden): User "test1" cannot list rolebindings in project 
"aura"

How should I remove user "test1" from project "aura"?

How did you get added to the "aura" project?  If you can't view role bindings, 
then you likely don't have the "view" role and you have been given a more 
constrained role.  You'd need to ask the person who added you in that case.


And how could I find which users belongs to project "aura"?

You can see which users have been added with explicit roles by doing "oc get 
rolebindings".  You can see who can view the namespace by running "oc policy 
who-can get namespace aura" if you have sufficient permissions.



2, basic-user

When should "basic-user" be used? It seems that basic-user is cluster wide. 
Is my understanding right?

There are two types of role bindings - namespace scoped role bindings 
(rolebindings) and cluster scoped role bindings (clusterrolebindings).  If you 
add someone to a clusterrolebinding they have that role on all namespaces in 
the cluster.  If you add someone with a rolebinding, they only have that 
permission on the namespace the rolebinding is created in.



3, user created automatically

When issues the instructions "oc login -u test2 -p test2", user "test2" is 
to be created automatically.

After user creation, which project does created user belong to?

None, unless you grant a clusterrolebinding to a group and the new user is in 
that group.



Thanks,

Jared, (韦煜）
Software developer
Interested in open source software, big data, Linux

___
users mailing list
us...@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: Several questions about authorization

[Yu Wei]

I guessed that some configurations was not proper.

When I create a new user, it is always added to project "aura" by default.

Cluster is setup on OpenShift Origin 3.6.

[root@host-10-1-236-92 ~]# oc describe project aura
Name:aura
Created:7 weeks ago
Labels:
Annotations:openshift.io/description=
openshift.io/display-name=
openshift.io/requester=aura
openshift.io/sa.scc.mcs=s0:c9,c4
openshift.io/sa.scc.supplemental-groups=18/1
openshift.io/sa.scc.uid-range=18/1
Display Name:
Description:
Status:Active
Node Selector:
Quota:
Resource limits:
[root@host-10-1-236-92 ~]# oc login
Authentication required for https://10.1.241.54:8443 (openshift)
Username: hello
Password:
Login successful.

You have one project on this server: "aura"

Using project "aura".

Where should I start to fix the problem? Any advice?


Thanks,

Jared, (韦煜）
Software developer
Interested in open source software, big data, Linux


From: Clayton Coleman 
Sent: Monday, December 18, 2017 10:41:30 PM
To: Yu Wei
Cc: us...@lists.openshift.redhat.com; dev@lists.openshift.redhat.com
Subject: Re: Several questions about authorization



On Mon, Dec 18, 2017 at 5:17 AM, Yu Wei 
mailto:yu20...@hotmail.com>> wrote:

Hi,

I have several questions about user and authorization management.

1, How could I remove user from project?



[root@host-10-1-236-92 gpu-test]# oc login -u test1 -p test1
Login successful.

You have access to the following projects and can switch between them with 'oc 
project ':

  * aura
test1

Using project "aura".
[root@host-10-1-236-92 gpu-test]# oc project aura
Already on project "aura" on server "https://10.1.241.54:8443";.
[root@host-10-1-236-92 gpu-test]# oc get rolebindings
Error from server (Forbidden): User "test1" cannot list rolebindings in project 
"aura"

How should I remove user "test1" from project "aura"?

How did you get added to the "aura" project?  If you can't view role bindings, 
then you likely don't have the "view" role and you have been given a more 
constrained role.  You'd need to ask the person who added you in that case.


And how could I find which users belongs to project "aura"?

You can see which users have been added with explicit roles by doing "oc get 
rolebindings".  You can see who can view the namespace by running "oc policy 
who-can get namespace aura" if you have sufficient permissions.



2, basic-user

When should "basic-user" be used? It seems that basic-user is cluster wide. 
Is my understanding right?

There are two types of role bindings - namespace scoped role bindings 
(rolebindings) and cluster scoped role bindings (clusterrolebindings).  If you 
add someone to a clusterrolebinding they have that role on all namespaces in 
the cluster.  If you add someone with a rolebinding, they only have that 
permission on the namespace the rolebinding is created in.



3, user created automatically

When issues the instructions "oc login -u test2 -p test2", user "test2" is 
to be created automatically.

After user creation, which project does created user belong to?

None, unless you grant a clusterrolebinding to a group and the new user is in 
that group.



Thanks,

Jared, (韦煜）
Software developer
Interested in open source software, big data, Linux

___
users mailing list
us...@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: Several questions about authorization

[Clayton Coleman]

On Mon, Dec 18, 2017 at 5:17 AM, Yu Wei  wrote:

> Hi,
>
> I have several questions about user and authorization management.
>
> 1, How could I remove user from project?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *[root@host-10-1-236-92 gpu-test]# oc login -u test1 -p test1 Login
> successful. You have access to the following projects and can switch
> between them with 'oc project ':   * aura test1 Using
> project "aura". [root@host-10-1-236-92 gpu-test]# oc project aura Already
> on project "aura" on server "https://10.1.241.54:8443
> ". [root@host-10-1-236-92 gpu-test]# oc get
> rolebindings Error from server (Forbidden): User "test1" cannot list
> rolebindings in project "aura"*
>
> How should I remove user "test1" from project "aura"?
>

How did you get added to the "aura" project?  If you can't view role
bindings, then you likely don't have the "view" role and you have been
given a more constrained role.  You'd need to ask the person who added you
in that case.


> And how could I find which users belongs to project "aura"?
>

You can see which users have been added with explicit roles by doing "oc
get rolebindings".  You can see who can view the namespace by running "oc
policy who-can get namespace aura" if you have sufficient permissions.


>
> 2, basic-user
>
> When should "basic-user" be used? It seems that basic-user is cluster
> wide. Is my understanding right?
>

There are two types of role bindings - namespace scoped role bindings
(rolebindings) and cluster scoped role bindings (clusterrolebindings).  If
you add someone to a clusterrolebinding they have that role on all
namespaces in the cluster.  If you add someone with a rolebinding, they
only have that permission on the namespace the rolebinding is created in.


>
> 3, user created automatically
>
> When issues the instructions "oc login -u test2 -p test2", user
> "test2" is to be created automatically.
>
> After user creation, which project does created user belong to?
>

None, unless you grant a clusterrolebinding to a group and the new user is
in that group.


>
> Thanks,
>
> Jared, (韦煜）
> Software developer
> Interested in open source software, big data, Linux
>
> ___
> users mailing list
> us...@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Several questions about authorization

[Yu Wei]

Hi,

I have several questions about user and authorization management.

1, How could I remove user from project?



[root@host-10-1-236-92 gpu-test]# oc login -u test1 -p test1
Login successful.

You have access to the following projects and can switch between them with 'oc 
project ':

  * aura
test1

Using project "aura".
[root@host-10-1-236-92 gpu-test]# oc project aura
Already on project "aura" on server "https://10.1.241.54:8443";.
[root@host-10-1-236-92 gpu-test]# oc get rolebindings
Error from server (Forbidden): User "test1" cannot list rolebindings in project 
"aura"

How should I remove user "test1" from project "aura"?

And how could I find which users belongs to project "aura"?


2, basic-user

When should "basic-user" be used? It seems that basic-user is cluster wide. 
Is my understanding right?


3, user created automatically

When issues the instructions "oc login -u test2 -p test2", user "test2" is 
to be created automatically.

After user creation, which project does created user belong to?


Thanks,

Jared, (韦煜）
Software developer
Interested in open source software, big data, Linux
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev