Same issue here: oc adm policy add-scc-to-user anyuid -z default -n openshift-infra oc adm policy add-scc-to-user privileged -z default -n openshift-infra oc adm policy add-scc-to-user hostmount-anyuid system:serviceaccount:openshift-infra:default
oc apply -n openshift-infra -f replicationcontrollers.yaml replicationcontrollers.yaml content: https://gist.github.com/harobed/76dc697e1658afd934c107aadc4f09a6 I've this error: Error creating: pods "hawkular-cassandra-1-" is forbidden: unable to validate against any security context constraint: [securityContext.runAsUser: Invalid value: 0: UID on container hawkular-cassandra-1 does not match required range. Found 0, required min: 1000000000 max: 1000009999 spec.containers[0].securityContext.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used] What is my mistake ? Best regards, Stéphane 2016-05-19 23:07 GMT+02:00 Clayton Coleman <ccole...@redhat.com>: > Users don't have a "preferred namespace", you'll have to provide that > yourself. oc project sets it in the config. You can use the -n flag to > set it. > > On May 19, 2016, at 11:36 AM, Alan Jones <ajo...@diamanti.com> wrote: > > Of all the command's I've tried, I think the following from another tread > did the magic: > oadm policy add-scc-to-user privileged -z default > In addition, I had to provide kubelet with --allow-privileged=true, which > wasn't required in the stock K8 1.2 config. > Perhaps OpenShift is adding something to the pod spec that kubelet is > validating. > What I'd really like to do now is wipe the OpenShift config to rerun > 'atomic-openshift-installer install' and confirm the particular steps that > make it work. > If you have any insight into the best way to wipe my OpenShift config, > please share. > > On getting my user and project; the replication set is submitted by one of > our system daemons that is run out of systemd with our own user and the > node certificates I described earlier. > Looking at the CLI code, it seems the command 'oc project' gets it from > the context before any REST API call is made. > However, 'oc whoami' seems to call GET on the 'users' resource with the > name '~'. > Can my daemon can make that call and get the project name or namespace > from the user details? > > Thank for helping me get this right! > Alan > > On Wed, May 18, 2016 at 7:43 PM, Clayton Coleman <ccole...@redhat.com> > wrote: > >> The node is running as a user, but every pod / rc has to be created in >> a namespace (or project, which is the same thing but with some >> additional controls). When you create an RC from your credentials, >> you are either creating it in the "default" namespace (in which case >> you need to grant system:serviceaccount:default:default access to >> hostmount-anyuid) or in whatever namespace was the default. If you >> run "oc project", which project does it say you are in? >> >> On Wed, May 18, 2016 at 8:16 PM, Alan Jones <ajo...@diamanti.com> wrote: >> > I now reproduced the issue with OpenShift 3.2 on RHEL 7, as apposed to >> my >> > few week old origin on CentOS. >> > Unfortunately, my magic command isn't working. >> > Here is my procedure: >> > 1) Create node certs with `oadm create-node-config` >> > 2) Use these certs from said node to create a replication set for a >> > container that requires a host mount. >> > 3) See event with 'hostPath volumes are not allowed to be used' >> > Note, this process works with standard Kubernetes; so navigating the >> > OpenShift authentication & permissions is what I'm trying to accomplish. >> > Also note that there is not *project* specified in this procedure; the >> node >> > being certified belongs to system:node, should I use that? >> > I feel like I'm flying blind because there is no feedback: >> > 1) The command to add privileges doesn't verify that the project or user >> > exists. >> > 2) The failure doesn't tell me which project/user was attempting to do >> the >> > unpermitted task. >> > Alan >> > [root@alan-lnx ~]# cat /etc/redhat-release >> > Red Hat Enterprise Linux Server release 7.2 (Maipo) >> > [root@alan-lnx ~]# openshift version >> > openshift v3.2.0.20 >> > kubernetes v1.2.0-36-g4a3f9c5 >> > etcd 2.2.5 >> > >> > >> > On Wed, May 18, 2016 at 3:08 PM, Alan Jones <ajo...@diamanti.com> >> wrote: >> >> >> >> I think I'm making progress: >> >> oadm policy add-scc-to-user hostmount-anyuid >> >> system:serviceaccount:openshift-infra:default >> >> Now when I submit the replica set I get a different mount error that I >> >> think I understand. >> >> Note, the context I'm submitting the request in is using the node host >> >> certs under /openshift.local/config/<hostname> to the API server. >> >> There is no specified project. >> >> Thank you! >> >> Alan >> >> >> >> On Wed, May 18, 2016 at 2:48 PM, Clayton Coleman <ccole...@redhat.com> >> >> wrote: >> >>> >> >>> >> >>> >> >>> On May 18, 2016, at 5:26 PM, Alan Jones <ajo...@diamanti.com> wrote: >> >>> >> >>> > oadm policy ... -z default >> >>> In the version of openshift origin I'm using the oadm command doesn't >> >>> take '-z'. >> >>> Can you fill in the dot, dot, dot for me? >> >>> I'm trying to grant permission for host volume access for a pod >> created >> >>> by the replication controller which was submitted with node >> credentials to >> >>> the API server. >> >>> Here is my latest failed attempt to try to follow your advice: >> >>> oadm policy add-scc-to-group hostmount-anyuid >> >>> system:serviceaccount:default >> >>> Again, this would be much easier if I could get logs for what group >> and >> >>> user it is evaluating when it fails. >> >>> Alan >> >>> >> >>> >> >>> system:serviceaccount:NAMESPACE:default >> >>> >> >>> Since policy is global, you have to identify which namespace/project >> >>> contains the "default" service account (service accounts are scoped >> to a >> >>> project). >> >>> >> >>> >> >>> On Tue, May 17, 2016 at 5:46 PM, Clayton Coleman <ccole...@redhat.com >> > >> >>> wrote: >> >>>> >> >>>> You need to grant the permission to a service account for the pod >> (which >> >>>> is "default" if you don't fill in the field). The replication >> controller's >> >>>> SA is not checked. >> >>>> >> >>>> oadm policy ... -z default >> >>>> >> >>>> On May 17, 2016, at 8:39 PM, Alan Jones <ajo...@diamanti.com> wrote: >> >>>> >> >>>> I tried that: >> >>>> oadm policy add-acc-to-user hostmount-anyuid >> >>>> system:serviceaccount:openshift-infra:replication-controller >> >>>> ... and I still get the error. >> >>>> Is there any way to get the user name/group that fails >> authentication? >> >>>> Alan >> >>>> >> >>>> On Tue, May 17, 2016 at 9:33 AM, Clayton Coleman < >> ccole...@redhat.com> >> >>>> wrote: >> >>>>> >> >>>>> anyuid doesn't grant hostPath, since that's a much more dangerous >> >>>>> permission. You want grant hostmount-anyuid >> >>>>> >> >>>>> On Tue, May 17, 2016 at 11:44 AM, Alan Jones <ajo...@diamanti.com> >> >>>>> wrote: >> >>>>> > I have several containers that we run using K8 that require host >> >>>>> > volume >> >>>>> > access. >> >>>>> > For example, I have a container called "evdispatch-v1" that I'm >> >>>>> > trying to >> >>>>> > launch in a replication controller and get the below error. >> >>>>> > Following an example from "Enable Dockerhub Images that Require >> Root" >> >>>>> > in >> >>>>> > >> >>>>> > (https://docs.openshift.org/latest/admin_guide/manage_scc. >> html#enable-images-to-run-with-user-in-the-dockerfile) >> >>>>> > I tried: >> >>>>> > oadm policy add-scc-to-user anyuid >> >>>>> > system:serviceaccount:openshift-infra:replication-controller >> >>>>> > But still get the error. >> >>>>> > Do you know what I need to do? >> >>>>> > Who knows more about this stuff? >> >>>>> > Alan >> >>>>> > --- >> >>>>> > WARNING evdispatch-v1 >> >>>>> > 49e7ac4e-1bae-11e6-88c0-080027767789 >> >>>>> > ReplicationController replication-controller >> >>>>> > FailedCreate >> >>>>> > Error creating: pods "evdispatch-v1-" is forbidden: unable to >> >>>>> > validate >> >>>>> > against any security context constraint: >> >>>>> > [spec.containers[0].securityContext.volumes[0]: Invalid value: >> >>>>> > "hostPath": >> >>>>> > hostPath volumes are not allowed to be used >> >>>>> > spec.containers[0].securityContext.volumes[0]: Invalid value: >> >>>>> > "hostPath": >> >>>>> > hostPath volumes are not allowed to be used] >> >>>>> > >> >>>>> > _______________________________________________ >> >>>>> > users mailing list >> >>>>> > users@lists.openshift.redhat.com >> >>>>> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >>>>> > >> >>>> >> >>>> >> >>> >> >> >> > >> > > > _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > -- Stéphane Klein <cont...@stephane-klein.info> blog: http://stephane-klein.info cv : http://cv.stephane-klein.info Twitter: http://twitter.com/klein_stephane
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
