Thanks Clayton, but that did not work. These are the steps I took:
1. Create a user called test-admin:
oadm policy add-cluster-role-to-user cluster-admin test-admin \
--config=openshift.local.config/master/admin.kubeconfig
2. Add privileged settings:
oc edit scc privileged
3. Add test-admin
users:
- system:serviceaccount:openshift-infra:build-controller
- test-admin
4. Create a pod with privileged mode -- Works
5. Add a template which looks similar to the pod definition
6. Deploy a container form the tempalte -- Doesn't deploy
7. Run:
oadm policy add-scc-to-user privileged -z test-admin
8. This added the line "- system:serviceaccount:test:test-admin" to scc
privileged
9. Deploy a container from the template -- Doesn't deploy
Logs:
$ oc get pods
NAME READY STATUS RESTARTS AGE
heketi-1-deploy 0/1 Error 0 8m
$ oc logs heketi-1-deploy
The output of the 'deploy' container is:
I0518 18:59:49.026072 1 deployer.go:199] Deploying test/heketi-1 for the
first time (replicas: 1)
I0518 18:59:49.029593 1 recreate.go:126] Scaling test/heketi-1 to 1
before performing acceptance check
F0518 19:01:50.134899 1 deployer.go:69] couldn't scale test/heketi-1 to
1: timed out waiting for the condition
Seems that it is not working. Maybe I have another configuration that I need
to setup?
----- Original Message -----
From: "Clayton Coleman" <ccole...@redhat.com>
To: "Luis Pabón" <lpa...@redhat.com>
Cc: "users" <users@lists.openshift.redhat.com>, "Erin Boyd" <eb...@redhat.com>,
"Humble Chirammal" <hchir...@redhat.com>
Sent: Wednesday, May 18, 2016 2:47:04 PM
Subject: Re: Seems privileged mode cannot be set in a template
You have to grant access to privileged to the service account in the
namespace - if you're running as cluster-admin, you can create
privileged pods, but a regular service account unless you add it:
oadm policy add-scc-to-user privileged -z default
where "default" is the service account that is used if you don't specify one.
On Wed, May 18, 2016 at 2:31 PM, Luis Pabón <lpa...@redhat.com> wrote:
>
>
> Hi all,
> I am able to easily deploy a POD with privileged mode enabled in my
> openshift cluster. I am also able to deploy a non-privileged application
> from a service/deploymentConfig template. But, I am unable to create a
> template which deploys a POD with privileged mode enabled. Is this possible?
> Here is a sample template:
>
> {
> "kind": "Template",
> "apiVersion": "v1",
> "metadata": {
> "name": "heketi",
> "annotations": {
> "description": "Heketi application",
> "tags": "glusterfs,heketi"
> }
> },
> "labels": {
> "template": "heketi"
> },
> "objects": [
> {
> "kind": "Service",
> "apiVersion": "v1",
> "metadata": {
> "name": "${NAME}",
> "annotations": {
> "description": "Exposes Heketi service"
> }
> },
> "spec": {
> "ports": [
> {
> "name": "rest-api",
> "port": 8080,
> "targetPort": 8080
> }
> ],
> "selector": {
> "name": "${NAME}"
> }
> }
> },
> {
> "kind": "DeploymentConfig",
> "apiVersion": "v1",
> "metadata": {
> "name": "${NAME}",
> "annotations": {
> "description": "Defines how to deploy Heketi"
> }
> },
> "spec": {
> "replicas": 1,
> "selector": {
> "name": "${NAME}"
> },
> "template": {
> "metadata": {
> "name": "${NAME}",
> "labels": {
> "name": "${NAME}"
> }
> },
> "triggers": [
> {
> "type": "ConfigChange"
> }
> ],
> "strategy": {
> "type": "Rolling"
> },
> "spec": {
> "containers": [
> {
> "securityContext" : {
> "capabilities" : {},
> "privileged" : true
> },
> "name": "heketi",
> "image": "heketi/heketi:dev",
> "ports": [
> {
> "containerPort": 8080
> }
> ],
> "volumeMounts": [
> {
> "name": "db",
> "mountPath": "/var/lib/heketi"
> }
> ],
> "readinessProbe": {
> "timeoutSeconds": 3,
> "initialDelaySeconds": 3,
> "httpGet": {
> "path": "/hello",
> "port": 8080
> }
> },
> "livenessProbe": {
> "timeoutSeconds": 3,
> "initialDelaySeconds": 30,
> "httpGet": {
> "path": "/hello",
> "port": 8080
> }
> }
> }
> ],
> "volumes": [
> {
> "name": "db"
> }
> ]
> }
> }
> }
> }
> ],
> "parameters": [
> {
> "name": "NAME",
> "displayName": "Name",
> "description": "The name assigned to all of the frontend objects
> defined in this template.",
> "required": true,
> "value": "heketi"
> }
> ]
> }
>
> _______________________________________________
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
