Privileged containers are not allowed
Issue
- Got the error messages at
Eventssection when building up pods throughDaemonSet.
# oc describe ds
...omitted...
Events:
FirstSeen LastSeen Count From SubObjectPath Type Reason Message
--------- -------- ----- ---- ------------- -------- ------ -------
2h 6m 51 daemon-set Warning FailedCreate Error creating: pods "logging-apps-" is forbidden: unable to validate against any security context constraint: [spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used provider restricted: .spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
- Definition of the
DaemonSetis as follows.
oc get ds -o yaml
apiVersion: v1
items:
- apiVersion: extensions/v1beta1
kind: DaemonSet
... snip ...
spec:
containers:
- env:
... snip ...
securityContext:
privileged: true
... snip ...
serviceAccount: sa-logging-apps
serviceAccountName: sa-logging-apps
- There is a service account in the project running the
DaemonSetdeployment.
# oc get sa
NAME SECRETS AGE
builder 2 2h
default 2 2h
deployer 2 2h
logging-apps 2 2h
logging-appsservice account has theprivilegedpermission.
# oc describe scc privileged
Name: privileged
Priority: <none>
Access:
Users: system:serviceaccount:openshift-infra:build-controller,system:serviceaccount:management-infra:management-admin,system:serviceaccount:management-infra:inspector-admin,system:serviceaccounts:logging-apps:logging-apps
Groups: system:cluster-admins,system:nodes,system:masters
Settings:
...omitted...
Environment
- OpenShift Container Platform
- 3.7
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
