Restricted SCC not allowing a privilege container port to expose within and outside container

[aaryabhatt]

Describe the bug
I have a customize nginx container image which run with root user. Now issue is it runs with Restricted SCC. When I run this image with just pod template it start with anyuid and it works fine. But when I run this from template it starts with Restricted SCC. I have enabled privileges container to true in restricted scc.

One major issue is here is that when I run command like below, it don't add that service account under user in SCC. I have to manually edit it and add that. Only after pod running with anyuid is working fine.
oc adm policy add-scc-to-user scc-admin system:serviceaccount:testing:default

I tried to add similar entries in restricted scc manully but, it did not work, then I tried to create new scc with all privileges scc-admin.

FYI.. During installation it failed with Openshift SDN, that time some issue was going on, then I use OVN-kubernetes.

Version

[amit@okd-installer ~]$ oc version
Client Version: 4.7.16
Server Version: 4.7.0-0.okd-2021-06-19-191547
Kubernetes Version: v1.20.0-1079+87cc9a4ade7ebe-dirty

It is installed on Baremetal servers with fedora coreos and it is UPI.

How reproducible

Everytime
Log bundle
Will attach logs soon.

[vrutkovs]

When I run this image with just pod template it start with anyuid and it works fine. But when I run this from template it starts with Restricted SCC

Which template?

One major issue is here is that when I run command like below, it don't add that service account under user in SCC. I have to manually edit it and add that

what's "add that serviceaccount under user" and what requires manual editing?

One major issue is here is that when I run command like below, it don't add that service account under user in SCC. I have to manually edit it and add that

Don't modify default SCCs, this might break updates. Use custom SCC instead

[aaryabhatt]

I am trying to select must gather logs file, it is not taking that. How can I upload it here.

Don't modify default SCCs, this might break updates. Use custom SCC instead

got it, thanks, I created new one, but issue still persist.

template attached
nginx-template.yaml.txt

must gather logs are here http://88.198.173.117:8010/must-gather.tar.gz

what's "add that serviceaccount under user" and what requires manual editing?
I need to add below setting in anyuid only after that it start running with anyuid with just pod yml file. still not running above attached template.

• users:
  • system:serviceaccount:testing

I am using default service account. even I tried to create other service account and different project but still don't work.
I go through constraint doc, I created roles for this newly created scc-admin scc, but still fails. Either I am missing something. Or something changes in this version. In older version it used to work fine, same template used to work.

Thanks.
nginx-template.yaml.txt

[vrutkovs]

your template has

securityContext: {}

Which doesn't request any additional privileges, thus restricted SCC is being used

[aaryabhatt]

How can I define value here, it will be very helpful. if I have to define scc-admin scc in that. please provide some syntex or example link.

[vrutkovs]

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods

[aaryabhatt]

Hi @vrutkovs, I tried many option, If just run as POD yml, it work but I am not able run it in deployment config file.

[aaryabhatt]

After running this command
oc adm policy add-scc-to-group anyuid system:authenticated

I am able to run individual Deployment config pod with anyuid scc, but I am still struggling with template.

[aaryabhatt]

Culprit for my template was deploymentconfig section, which used to work in upto 4.5, not sure what happen with this. When I test it with sample depoymentconfig it worked, we can close this case.
Thanks for all your support.

[LorbusChris]

indeed, Deployments have replaced DeploymentConfigs.