-
OpenShift: Assign SCC to a SA
3 min read
If you try to create a pod with some privileges using the securityContext you are going to find out that it's not going to work on OpenShift as it would on a vanilla Kubernetes:
$ kubectl describe sts example-no-scc Name: example-no-scc (...) Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning FailedCreate 18s (x13 over 38s) statefulset-controller create Pod example-no-scc-0 in StatefulSet example-no-scc failed error: pods "example-no-scc-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.initContainers[0].securityContext.capabilities.add: Invalid value: "DAC_OVERRIDE": capability may not be added, spec.containers[0].securityContext.capabilities.add: Invalid value: "DAC_OVERRIDE": capability may not be added, spec.containers[1].securityContext.capabilities.add: Invalid value: "DAC_OVERRIDE": capability may not be added, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]08/09/2022
Read more...
From pet to cattle
Treat your kubernetes clusters like cattle, not pets