SCC applied but doesn't appear to be taking effect #1954
Unanswered
ALL-SPACE-Anas
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi,
I'm new to working with SCCs so very confused with the inconsistent behaviour I'm facing. We have a bare-metal OKD4.15 cluster deployed. I'm facing this issue as part of my attempts to deploy and make github actions runner controller work (as it's not supported for OpenShift). I've managed to deploy it without hiccups but for runners, I've noticed, they need anyuid permissions (otherwise I'd get
CreateContainerErrorbecause ofPermission Deniedon scripts). To resolve this, I provided anyuid scc to the service account associated with the runner pods. Used below command for it,oc adm policy add-scc-to-user anyuid -z <sa>I expected the service account to show up under "Users" but it didn't.
oc describe scc anyuidBut I could see the pods being created afterwards so looks like it was effective. Now, I got into some errors working inside the pod and to rule out the possibility that it's not to do with the permissions, I decided to try with the privileged scc instead. So, used the following commands,
Service account still doesn't show up under
Userswhen doingoc describe scc privilegedbut I expected it to be effective, which I suspect it was not as I start seeing the original error ofCreateContainerErrorbecausePermission Denied. This hints to me thatprivilegedscc may not be effective.Another test I did was create a custom-scc which is basically the same as anyuid except it has "Allowed Capabilities: SETFCAP".
oc describe scc custom-sccI added it to sa using the same steps above, but I keep seeing the same error of
CreateContainerErrorbecausePermission Deniedhinting that the custom-scc is not effective dispite it being almost the same. Could this be a bug? Is there something I'm missing?Beta Was this translation helpful? Give feedback.
All reactions