"User "system" cannot get securitycontextconstraints at the cluster scope" in Openshift3

Question

If I try to add a security constraint to a local OpenShift all-in-one cluster running in Windows10 Pro and Hyper-V, openshift client receives the following message:

c:\openshift\oc.exe adm policy add-scc-to-user anyuid -z default
Error from server (Forbidden): User "system" cannot get securitycontextconstraints at the cluster scope"

The Openshift instance was created by docker machine using the following steps:

1) docker-machine create -d "hyperv" --engine-insecure-registry 172.30.0.0/16 --hyperv-virtual-switch "openshift" openshift 
2) oc cluster up --docker-machine=openshift

Is there any configuration to allow system user to have access to securitycontextconstraints?

Answer 1

I could not apply the configuration command until issuing command for logging with admin rights

oc login -u system:admin -n default 

afterwards the well-known upper, (for my case without "docker prefix"), on the command line with openshift - "oc" command line utils, worked

oc adm policy add-scc-to-user anyuid -z default -n projectname

Answer 2

Try running:

docker exec origin oc adm policy add-scc-to-user anyuid -z default -n projectname

This will run oc inside of the OpenShift cluster where it should run as an admin.

I would suggest also running:

docker exec origin oc adm policy add-cluster-role-to-group sudoer system:authenticated yourusername

That way you can in future run admin commands by running:

oc adm policy add-scc-to-user anyuid -z default -n projectname --as system:admin

That is, by using --as system:admin to impersonate admin.

You may want to consider using Minishift instead of oc cluster up as it from memory gives the developer user sudoer role by default and so can use --as system:admin to execute admin commands.