[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Using Custom SCC and Service Account in Deployment



What is documented in that blog does work.

Instead of:

    oc adm policy add-scc-to-user anyuid system:serviceaccount:mysvcacct

use:

    oc adm policy add-scc-to-user anyuid -z mysvcacct

as the blog explains, and make sure you are in the correct project in case when you switched to admin you weren't, or add '-n yourprojectname' option to commands.

The form of what you ran is:

    oc adm policy add-scc-to-user <scc_name> \
        system:serviceaccount:<serviceaccount_namespace>:<serviceaccount_name>

If you only have three parts to colon separate argument, it is interpreted as:

    oc adm policy add-scc-to-group <scc_name> \
        system:serviceaccounts:<serviceaccount_namespace>

So you aren't strictly adding it to just the service account, but to all service accounts in namespace. That should have yielded same result, but maybe not and definitely probably not want you wanted, especially if you ran it in the wrong project.

Graham

On 27 Jul 2017, at 4:49 AM, Isuru Haththotuwa <isurulucky gmail com> wrote:

Hi all,

I'm trying to allow Docker containers to be run in openshift using the user specified in the Dockerfile itself, without using a random user id. I see that its possible to do this using the command [1], where all authenticated users will be added to the anyuid group. Without doing this for all users, can I do it for one specific user? I tried the following:
  1. Create a service account in default project using command [2]
  2. Add the service account to the anyuid scc using command [3]
  3. Referred this service account name in the Deployment definition as shown in the sample [4]

However, still the container seems to start with a random user id. Is this approach incorrect? What is the link between service account and the user we set in the Docker images (with USER keyword)?


[1]. oc adm policy add-scc-to-group anyuid system:authenticated

[2]. oc create serviceaccount mysvcacct

[3]. oc adm policy add-scc-to-user anyuid system:serviceaccount:mysvcacct

[4]. https://blog.openshift.com/understanding-service-accounts-sccs/

--
Thanks and Regards,
Isuru
_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]