Privileged containers are not allowed
Issue
- Got the error messages at
Eventssection when building up pods throughDaemonSet.
# oc describe ds
...omitted...
Events:
FirstSeen LastSeen Count From SubObjectPath Type Reason Message
--------- -------- ----- ---- ------------- -------- ------ -------
2h 6m 51 daemon-set Warning FailedCreate Error creating: pods "logging-apps-" is forbidden: unable to validate against any security context constraint: [spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used provider restricted: .spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
- Definition of the
DaemonSetis as follows.
oc get ds -o yaml
apiVersion: v1
items:
- apiVersion: extensions/v1beta1
kind: DaemonSet
... snip ...
spec:
containers:
- env:
... snip ...
securityContext:
privileged: true
... snip ...
serviceAccount: sa-logging-apps
serviceAccountName: sa-logging-apps
- There is a service account in the project running the
DaemonSetdeployment.
# oc get sa
NAME SECRETS AGE
builder 2 2h
default 2 2h
deployer 2 2h
logging-apps 2 2h
logging-appsservice account has theprivilegedpermission.
# oc describe scc privileged
Name: privileged
Priority: <none>
Access:
Users: system:serviceaccount:openshift-infra:build-controller,system:serviceaccount:management-infra:management-admin,system:serviceaccount:management-infra:inspector-admin,system:serviceaccounts:logging-apps:logging-apps
Groups: system:cluster-admins,system:nodes,system:masters
Settings:
...omitted...
Environment
- OpenShift Container Platform
- 3.7
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Close
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.