Running Pods as Anyuid in Openshift Origin

When using Openshift Origin, by default all pods are running with 'restricted' context, where they are forced to use a generated user id. Some Containers just doesn't work that way, so we need to relax the restriction a bit. Reference : https://blog.openshift.com/understanding-service-accounts-sccs/

Creating A service account

First, create a service account in your project (see https://docs.openshift.com/enterprise/3.0/admin_guide/manage_scc.html). These are a sample yaml to do that :
kind: ServiceAccount
apiVersion: v1
metadata:
  name: mysvcacct
Note that underscore are not allowed as service account name despite the official openshift example contains it.

Assigning anyuid

Then, a cluster administrator should login to the project and assign anyuid SCC :


oc loginoc project theprojectoc adm policy add-scc-to-user anyuid -z mysvcacct

Using the service account

Now, edit the deployment config or the replication controller config to use the service account :

apiVersion: v1
kind: ReplicationController
metadata:
  name: spark-master-controller
  namespace: sparkz
  selfLink: /api/v1/namespaces/sparkz/replicationcontrollers/spark-master-controller
  uid: a1f26de8-b6e3-11e7-846c-005056a56b12
  resourceVersion: '129053544'
  generation: 2
  creationTimestamp: '2017-10-22T04:44:04Z'
  labels:
    component: spark-master
spec:
  replicas: 1
  selector:
    component: spark-master
  template:
    metadata:
      creationTimestamp: null
      labels:
        component: spark-master
    spec:
      containers:
        - name: spark-master
          image: 'gcr.io/google_containers/spark:latest'
          command:
            - /start-master
          ports:
            - containerPort: 7077
              protocol: TCP
            - containerPort: 8080
              protocol: TCP
          resources:
            requests:
              cpu: 100m
          terminationMessagePath: /dev/termination-log
          imagePullPolicy: Always
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      serviceAccountName: mysvcacct
      securityContext: {}
status:
  replicas: 1
  fullyLabeledReplicas: 1
  readyReplicas: 1
  availableReplicas: 1
  observedGeneration: 2

Note the serviceAccountName at the same level as containers inside spec. Add the row if it doesn't exist yet.

Comments

Popular posts from this blog

Long running process in Linux using PHP

Reverse Engineering Reptile Kernel module to Extract Authentication code

SAP System Copy Lessons Learned