Redeploying the application creates new pods.Since you removed the part of your custom scc that allowed it to apply to your pods, those new pods were once again subject to the restricted policy.
On Jun 18, 2018, at 6:12 PM, Daniel Comnea <comnea dani gmail com> wrote:Hi Jordan,Reviving the thread on the custom scc with another question if you don't mind:After i removed the
groups:from my custom scc i went ahead and done the following:1) Created Foo project2) Created my custom scc (which i shared in my previous email)3) Deployed the app pods4) Upgraded Openshift to 3.6.1 – pods started to crash due to having the default restricted scc instead of the custom scc previously assigned.The docs says very clear that only the default scc will be reset to initial state and so i was expecting the POD to pick up the custom scc even if they get bounced during upgrade.Any thoughts ?Thanks !On Wed, May 23, 2018 at 11:18 PM, Daniel Comnea <comnea dani gmail com> wrote:I see the rational, thank you for quick response and knowledge.On Wed, May 23, 2018 at 10:59 PM, Jordan Liggitt <jliggitt redhat com> wrote:By making your SCC available to all authenticated users, it gets added to the set considered for every pod run by every service account:If you want to limit it to just your foo-sa service account, you should remove the system:authenticated group from the SCC
- system:serviceaccount:foo:foo- sa
groups: On Wed, May 23, 2018 at 5:54 PM, Daniel Comnea <comnea dani gmail com> wrote:______________________________DaniCheers,Now the odd thing which i cannot explain is why glusterFS pods  which doesn't reference the new created serviceAccountName  do have the new custom scc being used ...is that normal or is a bug?Hi,I'm running Origin 3.7.0 and i've created a custom SCC  which is being referenced by different Deployments objects using serviceAccountName: foo-scc-restricted.
7/6b7a15ed8de87951cee6d038646e 0918#file-glusterfs-deployment -yml-L65
7/6b7a15ed8de87951cee6d038646e 0918#file-glusterfs-deployment -yml-L11 _________________
dev mailing list
dev lists openshift redhat com