Thanks Clayton, but that did not work. These are the steps I took: 1. Create a user called test-admin: oadm policy add-cluster-role-to-user cluster-admin test-admin \ --config=openshift.local.config/master/admin.kubeconfig
2. Add privileged settings: oc edit scc privileged 3. Add test-admin users: - system:serviceaccount:openshift-infra:build-controller - test-admin 4. Create a pod with privileged mode -- Works 5. Add a template which looks similar to the pod definition 6. Deploy a container form the tempalte -- Doesn't deploy 7. Run: oadm policy add-scc-to-user privileged -z test-admin 8. This added the line "- system:serviceaccount:test:test-admin" to scc privileged 9. Deploy a container from the template -- Doesn't deploy Logs: $ oc get pods NAME READY STATUS RESTARTS AGE heketi-1-deploy 0/1 Error 0 8m $ oc logs heketi-1-deploy The output of the 'deploy' container is: I0518 18:59:49.026072 1 deployer.go:199] Deploying test/heketi-1 for the first time (replicas: 1) I0518 18:59:49.029593 1 recreate.go:126] Scaling test/heketi-1 to 1 before performing acceptance check F0518 19:01:50.134899 1 deployer.go:69] couldn't scale test/heketi-1 to 1: timed out waiting for the condition Seems that it is not working. Maybe I have another configuration that I need to setup? ----- Original Message ----- From: "Clayton Coleman" <ccole...@redhat.com> To: "Luis Pabón" <lpa...@redhat.com> Cc: "users" <users@lists.openshift.redhat.com>, "Erin Boyd" <eb...@redhat.com>, "Humble Chirammal" <hchir...@redhat.com> Sent: Wednesday, May 18, 2016 2:47:04 PM Subject: Re: Seems privileged mode cannot be set in a template You have to grant access to privileged to the service account in the namespace - if you're running as cluster-admin, you can create privileged pods, but a regular service account unless you add it: oadm policy add-scc-to-user privileged -z default where "default" is the service account that is used if you don't specify one. On Wed, May 18, 2016 at 2:31 PM, Luis Pabón <lpa...@redhat.com> wrote: > > > Hi all, > I am able to easily deploy a POD with privileged mode enabled in my > openshift cluster. I am also able to deploy a non-privileged application > from a service/deploymentConfig template. But, I am unable to create a > template which deploys a POD with privileged mode enabled. Is this possible? > Here is a sample template: > > { > "kind": "Template", > "apiVersion": "v1", > "metadata": { > "name": "heketi", > "annotations": { > "description": "Heketi application", > "tags": "glusterfs,heketi" > } > }, > "labels": { > "template": "heketi" > }, > "objects": [ > { > "kind": "Service", > "apiVersion": "v1", > "metadata": { > "name": "${NAME}", > "annotations": { > "description": "Exposes Heketi service" > } > }, > "spec": { > "ports": [ > { > "name": "rest-api", > "port": 8080, > "targetPort": 8080 > } > ], > "selector": { > "name": "${NAME}" > } > } > }, > { > "kind": "DeploymentConfig", > "apiVersion": "v1", > "metadata": { > "name": "${NAME}", > "annotations": { > "description": "Defines how to deploy Heketi" > } > }, > "spec": { > "replicas": 1, > "selector": { > "name": "${NAME}" > }, > "template": { > "metadata": { > "name": "${NAME}", > "labels": { > "name": "${NAME}" > } > }, > "triggers": [ > { > "type": "ConfigChange" > } > ], > "strategy": { > "type": "Rolling" > }, > "spec": { > "containers": [ > { > "securityContext" : { > "capabilities" : {}, > "privileged" : true > }, > "name": "heketi", > "image": "heketi/heketi:dev", > "ports": [ > { > "containerPort": 8080 > } > ], > "volumeMounts": [ > { > "name": "db", > "mountPath": "/var/lib/heketi" > } > ], > "readinessProbe": { > "timeoutSeconds": 3, > "initialDelaySeconds": 3, > "httpGet": { > "path": "/hello", > "port": 8080 > } > }, > "livenessProbe": { > "timeoutSeconds": 3, > "initialDelaySeconds": 30, > "httpGet": { > "path": "/hello", > "port": 8080 > } > } > } > ], > "volumes": [ > { > "name": "db" > } > ] > } > } > } > } > ], > "parameters": [ > { > "name": "NAME", > "displayName": "Name", > "description": "The name assigned to all of the frontend objects > defined in this template.", > "required": true, > "value": "heketi" > } > ] > } > > _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users _______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users