When you create a pod directly as a cluster admin, you have permission to run as any user. So the check allows you to create that process. When you run under a replication controller, permission has to be delegated to ensure that the controller (which is acting on your behalf) can create a pod that runs that way. The service account is what is delegated.
> On Mar 1, 2016, at 9:37 AM, Julio Saura <jsa...@hiberus.com> wrote: > > hello > > thanks for answering > > but why is running without problem if i run my image as a POD without doing > that and failing when i use RC instead of POD? > > thanks > > >> El 1 mar 2016, a las 16:21, Clayton Coleman <ccole...@redhat.com> escribió: >> >> Regular Openshift users don't have permission to run as arbitrary >> UIDs. You can read more here: >> https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#security-context-constraints >> >> To give yourself access as a root user (if you are an admin) run >> >> oadm policy add-scc-to-user anyuid -z default >> >> Or to let your pods run as any non-root user, run >> >> oadm policy add-scc-to-user nonroot -z default >> >>> On Mar 1, 2016, at 9:04 AM, Julio Saura <jsa...@hiberus.com> wrote: >>> >>> Hello >>> >>> i have a working open shift running and maybe is my misunderstanding but i >>> have a problem with RC >>> >>> so, >>> >>> i have an own docker image for my app, my entry point in my docker file >>> creates some directories that are needed for my app to work and starts a >>> jboss,, so far so good >>> >>> the image is running if i define it as a POD, but when i try to create a RC >>> using that image i am having some weird permission denied when creating the >>> directories and so my pod dies. >>> >>> i have noticed that when i run it as POD my process is running under the >>> user i define in a step inside my docker file when building the image, but >>> if i run it on a RC the process is running under an unknown UID >>> >>> UID PID PPID C STIME TTY TIME CMD >>> 1000120+ 1 0 0 17:02 ? 00:00:00 /bin/bash >>> /etc/init.d/jboss-as st >>> >>> and so when that entry point is trying to create the directories i need i >>> get permission denied errors, logically the process dies and so does my pod >>> inside de RC .. >>> >>> why is this happening? on my dockerfile i add a unix user as the process >>> proprietary and in my entry point command script i am changing the user >>> when starting .. running on the RC the user is not created and not used, >>> but running it as a POD works like a charm.. >>> >>> i am missing something? >>> >>> best regards >>> thanks all! >>> >>> >>> >>> >>> >>> _______________________________________________ >>> users mailing list >>> users@lists.openshift.redhat.com >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users > _______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
