The node is running as a user, but every pod / rc has to be created in a namespace (or project, which is the same thing but with some additional controls). When you create an RC from your credentials, you are either creating it in the "default" namespace (in which case you need to grant system:serviceaccount:default:default access to hostmount-anyuid) or in whatever namespace was the default. If you run "oc project", which project does it say you are in?
On Wed, May 18, 2016 at 8:16 PM, Alan Jones <ajo...@diamanti.com> wrote: > I now reproduced the issue with OpenShift 3.2 on RHEL 7, as apposed to my > few week old origin on CentOS. > Unfortunately, my magic command isn't working. > Here is my procedure: > 1) Create node certs with `oadm create-node-config` > 2) Use these certs from said node to create a replication set for a > container that requires a host mount. > 3) See event with 'hostPath volumes are not allowed to be used' > Note, this process works with standard Kubernetes; so navigating the > OpenShift authentication & permissions is what I'm trying to accomplish. > Also note that there is not *project* specified in this procedure; the node > being certified belongs to system:node, should I use that? > I feel like I'm flying blind because there is no feedback: > 1) The command to add privileges doesn't verify that the project or user > exists. > 2) The failure doesn't tell me which project/user was attempting to do the > unpermitted task. > Alan > [root@alan-lnx ~]# cat /etc/redhat-release > Red Hat Enterprise Linux Server release 7.2 (Maipo) > [root@alan-lnx ~]# openshift version > openshift v3.2.0.20 > kubernetes v1.2.0-36-g4a3f9c5 > etcd 2.2.5 > > > On Wed, May 18, 2016 at 3:08 PM, Alan Jones <ajo...@diamanti.com> wrote: >> >> I think I'm making progress: >> oadm policy add-scc-to-user hostmount-anyuid >> system:serviceaccount:openshift-infra:default >> Now when I submit the replica set I get a different mount error that I >> think I understand. >> Note, the context I'm submitting the request in is using the node host >> certs under /openshift.local/config/<hostname> to the API server. >> There is no specified project. >> Thank you! >> Alan >> >> On Wed, May 18, 2016 at 2:48 PM, Clayton Coleman <ccole...@redhat.com> >> wrote: >>> >>> >>> >>> On May 18, 2016, at 5:26 PM, Alan Jones <ajo...@diamanti.com> wrote: >>> >>> > oadm policy ... -z default >>> In the version of openshift origin I'm using the oadm command doesn't >>> take '-z'. >>> Can you fill in the dot, dot, dot for me? >>> I'm trying to grant permission for host volume access for a pod created >>> by the replication controller which was submitted with node credentials to >>> the API server. >>> Here is my latest failed attempt to try to follow your advice: >>> oadm policy add-scc-to-group hostmount-anyuid >>> system:serviceaccount:default >>> Again, this would be much easier if I could get logs for what group and >>> user it is evaluating when it fails. >>> Alan >>> >>> >>> system:serviceaccount:NAMESPACE:default >>> >>> Since policy is global, you have to identify which namespace/project >>> contains the "default" service account (service accounts are scoped to a >>> project). >>> >>> >>> On Tue, May 17, 2016 at 5:46 PM, Clayton Coleman <ccole...@redhat.com> >>> wrote: >>>> >>>> You need to grant the permission to a service account for the pod (which >>>> is "default" if you don't fill in the field). The replication controller's >>>> SA is not checked. >>>> >>>> oadm policy ... -z default >>>> >>>> On May 17, 2016, at 8:39 PM, Alan Jones <ajo...@diamanti.com> wrote: >>>> >>>> I tried that: >>>> oadm policy add-acc-to-user hostmount-anyuid >>>> system:serviceaccount:openshift-infra:replication-controller >>>> ... and I still get the error. >>>> Is there any way to get the user name/group that fails authentication? >>>> Alan >>>> >>>> On Tue, May 17, 2016 at 9:33 AM, Clayton Coleman <ccole...@redhat.com> >>>> wrote: >>>>> >>>>> anyuid doesn't grant hostPath, since that's a much more dangerous >>>>> permission. You want grant hostmount-anyuid >>>>> >>>>> On Tue, May 17, 2016 at 11:44 AM, Alan Jones <ajo...@diamanti.com> >>>>> wrote: >>>>> > I have several containers that we run using K8 that require host >>>>> > volume >>>>> > access. >>>>> > For example, I have a container called "evdispatch-v1" that I'm >>>>> > trying to >>>>> > launch in a replication controller and get the below error. >>>>> > Following an example from "Enable Dockerhub Images that Require Root" >>>>> > in >>>>> > >>>>> > (https://docs.openshift.org/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile) >>>>> > I tried: >>>>> > oadm policy add-scc-to-user anyuid >>>>> > system:serviceaccount:openshift-infra:replication-controller >>>>> > But still get the error. >>>>> > Do you know what I need to do? >>>>> > Who knows more about this stuff? >>>>> > Alan >>>>> > --- >>>>> > WARNING evdispatch-v1 >>>>> > 49e7ac4e-1bae-11e6-88c0-080027767789 >>>>> > ReplicationController replication-controller >>>>> > FailedCreate >>>>> > Error creating: pods "evdispatch-v1-" is forbidden: unable to >>>>> > validate >>>>> > against any security context constraint: >>>>> > [spec.containers[0].securityContext.volumes[0]: Invalid value: >>>>> > "hostPath": >>>>> > hostPath volumes are not allowed to be used >>>>> > spec.containers[0].securityContext.volumes[0]: Invalid value: >>>>> > "hostPath": >>>>> > hostPath volumes are not allowed to be used] >>>>> > >>>>> > _______________________________________________ >>>>> > users mailing list >>>>> > users@lists.openshift.redhat.com >>>>> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>> > >>>> >>>> >>> >> > _______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
