I now reproduced the issue with OpenShift 3.2 on RHEL 7, as apposed to my few week old origin on CentOS. Unfortunately, my magic command isn't working. Here is my procedure: 1) Create node certs with `oadm create-node-config` 2) Use these certs from said node to create a replication set for a container that requires a host mount. 3) See event with 'hostPath volumes are not allowed to be used' Note, this process works with standard Kubernetes; so navigating the OpenShift authentication & permissions is what I'm trying to accomplish. Also note that there is not *project* specified in this procedure; the node being certified belongs to system:node, should I use that? I feel like I'm flying blind because there is no feedback: 1) The command to add privileges doesn't verify that the project or user exists. 2) The failure doesn't tell me which project/user was attempting to do the unpermitted task. Alan [root@alan-lnx ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) [root@alan-lnx ~]# openshift version openshift v3.2.0.20 kubernetes v1.2.0-36-g4a3f9c5 etcd 2.2.5
On Wed, May 18, 2016 at 3:08 PM, Alan Jones <ajo...@diamanti.com> wrote: > I think I'm making progress: > oadm policy add-scc-to-user hostmount-anyuid > system:serviceaccount:openshift-infra:default > Now when I submit the replica set I get a different mount error that I > think I understand. > Note, the context I'm submitting the request in is using the node host > certs under /openshift.local/config/<hostname> to the API server. > There is no specified project. > Thank you! > Alan > > On Wed, May 18, 2016 at 2:48 PM, Clayton Coleman <ccole...@redhat.com> > wrote: > >> >> >> On May 18, 2016, at 5:26 PM, Alan Jones <ajo...@diamanti.com> wrote: >> >> > oadm policy ... -z default >> In the version of openshift origin I'm using the oadm command doesn't >> take '-z'. >> Can you fill in the dot, dot, dot for me? >> I'm trying to grant permission for host volume access for a pod created >> by the replication controller which was submitted with node credentials to >> the API server. >> Here is my latest failed attempt to try to follow your advice: >> oadm policy add-scc-to-group hostmount-anyuid >> system:serviceaccount:default >> Again, this would be much easier if I could get logs for what group and >> user it is evaluating when it fails. >> Alan >> >> >> system:serviceaccount:NAMESPACE:default >> >> Since policy is global, you have to identify which namespace/project >> contains the "default" service account (service accounts are scoped to a >> project). >> >> >> On Tue, May 17, 2016 at 5:46 PM, Clayton Coleman <ccole...@redhat.com> >> wrote: >> >>> You need to grant the permission to a service account for the pod (which >>> is "default" if you don't fill in the field). The replication controller's >>> SA is not checked. >>> >>> oadm policy ... -z default >>> >>> On May 17, 2016, at 8:39 PM, Alan Jones <ajo...@diamanti.com> wrote: >>> >>> I tried that: >>> oadm policy add-acc-to-user hostmount-anyuid system:serviceaccount: >>> openshift-infra:replication-controller >>> ... and I still get the error. >>> Is there any way to get the user name/group that fails authentication? >>> Alan >>> >>> On Tue, May 17, 2016 at 9:33 AM, Clayton Coleman <ccole...@redhat.com> >>> wrote: >>> >>>> anyuid doesn't grant hostPath, since that's a much more dangerous >>>> permission. You want grant hostmount-anyuid >>>> >>>> On Tue, May 17, 2016 at 11:44 AM, Alan Jones <ajo...@diamanti.com> >>>> wrote: >>>> > I have several containers that we run using K8 that require host >>>> volume >>>> > access. >>>> > For example, I have a container called "evdispatch-v1" that I'm >>>> trying to >>>> > launch in a replication controller and get the below error. >>>> > Following an example from "Enable Dockerhub Images that Require Root" >>>> in >>>> > ( >>>> https://docs.openshift.org/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile >>>> ) >>>> > I tried: >>>> > oadm policy add-scc-to-user anyuid >>>> > system:serviceaccount:openshift-infra:replication-controller >>>> > But still get the error. >>>> > Do you know what I need to do? >>>> > Who knows more about this stuff? >>>> > Alan >>>> > --- >>>> > WARNING evdispatch-v1 >>>> 49e7ac4e-1bae-11e6-88c0-080027767789 >>>> > ReplicationController replication-controller >>>> FailedCreate >>>> > Error creating: pods "evdispatch-v1-" is forbidden: unable to validate >>>> > against any security context constraint: >>>> > [spec.containers[0].securityContext.volumes[0]: Invalid value: >>>> "hostPath": >>>> > hostPath volumes are not allowed to be used >>>> > spec.containers[0].securityContext.volumes[0]: Invalid value: >>>> "hostPath": >>>> > hostPath volumes are not allowed to be used] >>>> > >>>> > _______________________________________________ >>>> > users mailing list >>>> > users@lists.openshift.redhat.com >>>> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>> > >>>> >>> >>> >> >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users