[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Custom SCC assigned to wrong pods

Hi Jordan,

Reviving the thread on the custom scc with another question if you don't mind:

After i removed the 


from my custom scc i went ahead and done the following:

1) Created Foo project
2) Created my custom scc (which i shared in my previous email)
3) Deployed the app pods
4) Upgraded Openshift to 3.6.1 – pods started to crash due to having the default restricted scc instead of the custom scc previously assigned.

The docs says very clear that only the default scc will be reset to initial state and so i was expecting the POD to pick up the custom scc even if they get bounced during upgrade.

Any thoughts ?

Thanks !

On Wed, May 23, 2018 at 11:18 PM, Daniel Comnea <comnea dani gmail com> wrote:
I see the rational, thank you for quick response and knowledge.

On Wed, May 23, 2018 at 10:59 PM, Jordan Liggitt <jliggitt redhat com> wrote:
By making your SCC available to all authenticated users, it gets added to the set considered for every pod run by every service account:

- system:serviceaccount:foo:foo-sa
- system:authenticated

If you want to limit it to just your foo-sa service account, you should remove the system:authenticated group from the SCC

On Wed, May 23, 2018 at 5:54 PM, Daniel Comnea <comnea dani gmail com> wrote:

I'm running Origin 3.7.0 and i've created a custom SCC [1] which is being referenced by different Deployments objects using serviceAccountName: foo-scc-restricted.

Now the odd thing which i cannot explain is why glusterFS pods [2] which doesn't reference the new created serviceAccountName [3] do have the new custom scc being used [4]...is that normal or is a bug?


[1] https://gist.github.com/DanyC97/56070e3f1523e31c1ad96980df6d7fe5
[2] https://gist.github.com/DanyC97/6b7a15ed8de87951cee6d038646e0918
[3] https://gist.github.com/DanyC97/6b7a15ed8de87951cee6d038646e0918#file-glusterfs-deployment-yml-L65
[4] https://gist.github.com/DanyC97/6b7a15ed8de87951cee6d038646e0918#file-glusterfs-deployment-yml-L11

dev mailing list
dev lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]