

How to find out to which 'user' I should add 'scc'?

I'm trying to run elasticsearch container in my openshift project.

I got errors:

Privileged containers are not allowed capabilities.add: Invalid value: "IPC_LOCK": capability may not be added capabilities.add: Invalid value: "SYS_RESOURCE": capability may not be added

I've found out that you need to add privileged scc to user account (or create own dedicated one).

I've tried to follow docu where the following commands are given:

oc create serviceaccount mysvcacct -n myproject
oc adm policy add-scc-to-user privileged system:serviceaccount:myproject:mysvcacct

However, no single clue is given what is mysvcacct and why it is called mysvcacct.

Because my project is called logging, I've tried the following:

oc create serviceaccount logging -n logging
oc adm policy add-scc-to-user privileged system:serviceaccount:logging:logging 

but it didn't change anything. I keep getting the same error.

What I'm missing there? What name should I use instead of mysvcacct?

Upvotes: 3

Views: 1117

Answers (1)

Daein Park
Daein Park

Reputation: 4693

FYI, I introduce the example of yaml format.

  • You can modify the ServiceAccount name using oc patch dc/your-deploymentConfigName cmd as follows.
# oc patch dc/elasticsearch --patch '{"spec":{"template":{"spec":{"serviceAccountName": "logging"}}}}'
  • Or using oc edit dc/your-deploymentConfigName, take a look around serviceAccountName.
# oc edit dc/elasticsearch
      - image: docker-registry.default.svc:5000/test/...
        imagePullPolicy: Always
        name: web
        - containerPort: 8080
          protocol: TCP
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: logging
      serviceAccountName: logging

Upvotes: 2

Related Questions