[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff



I'd like to continue this discussion because this broken configuration could be easily reproduced by following our own documentation:

https://docs.openshift.org/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile

How we can fix this?

Do we have a virtual group (like system:authenticated) that doesn't include any system-related users? In this case, we will be able to use such a group in the example above.


2018-05-17 15:15 GMT+02:00 Sam Padgett <spadgett redhat com>:
The file mode is 400, and I think anyuid breaks reading it since the user changes.


On Thu, May 17, 2018 at 9:03 AM, Clayton Coleman <ccoleman redhat com> wrote:
anyuid is less restrictive than restricted, unless you customized restricted.  Did youvustomize restricted?

On May 17, 2018, at 8:56 AM, Charles Moulliard <cmoullia redhat com> wrote:

Hi,

If we scale down/up the Replication Set of the OpenShift Web Console, then the new pod created will crash and report

"Error: unable to load server certificate: open /var/serving-cert/tls.crt: permission denied"

This problem comes from the fact that when the pod is recreated, then the scc annotation is set to anyuid instead of restricted and then the pod can't access the cert

apiVersion: v1
kind: Pod
metadata:
  annotations:
    openshift.io/scc: anyuid

Is this bug been fixed for openshift 3.9 ? Is there a workaround to resolve it otherwise we can't access anymore the Web Console ?

--
Slava Semushin | OpenShift

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]