Privileged containers are not allowed

Solution Unverified - Updated -

Issue

  • Got the error messages at Events section when building up pods through DaemonSet.
# oc describe ds

...omitted...

Events:
  FirstSeen     LastSeen        Count   From            SubObjectPath   Type            Reason          Message
  ---------     --------        -----   ----            -------------   --------        ------          -------
  2h            6m              51      daemon-set                      Warning         FailedCreate    Error creating: pods "logging-apps-" is forbidden: unable to validate against any security context constraint: [spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used provider restricted: .spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
  • Definition of the DaemonSet is as follows.
oc get ds -o yaml
apiVersion: v1
items:
- apiVersion: extensions/v1beta1
  kind: DaemonSet
    ... snip ...
      spec:
        containers:
        - env:
        ... snip ...
          securityContext:
            privileged: true
        ... snip ...
        serviceAccount: sa-logging-apps
        serviceAccountName: sa-logging-apps
  • There is a service account in the project running the DaemonSet deployment.
# oc get sa
NAME                  SECRETS   AGE
builder               2         2h
default               2         2h
deployer              2         2h
logging-apps          2         2h
  • logging-apps service account has the privileged permission.
# oc describe scc privileged

Name:                       privileged
Priority:                   <none>
Access:                     
  Users:                    system:serviceaccount:openshift-infra:build-controller,system:serviceaccount:management-infra:management-admin,system:serviceaccount:management-infra:inspector-admin,system:serviceaccounts:logging-apps:logging-apps
  Groups:                   system:cluster-admins,system:nodes,system:masters
Settings:                   
...omitted...

Environment

  • OpenShift Container Platform
    • 3.7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In