理解scc sa
dc(sa)--pod,即定义dc时候指定使用哪个sa, 而sa可以加入到某个scc
https://blog.openshift.com/understanding-service-accounts-sccs/
openshift里多了scc概念.scc是security context constraints缩写.安全上下文约束.
简单讲就是授权的. 系统有一大堆权限,包含访问project的权限,访
问api的权限等.新建个用户后,酌情把这些权限授权他们.在我新建的
project ,demo-project里新建了个nginx. 报错.
如果对openshift scc不太熟,还一时半会真不好解决.
报错如下
参考:
https://docs.openshift.com/enterprise/3.2/admin_guide/manage_scc.html
Grant a Service Account Access to the Privileged SCC
First, create a service account. For example, to create service account mysvcacct
in project myproject
:
$ oc create serviceaccount mysvcacct -n myproject
Then, add the service account to the privileged
SCC.
$ oadm policy add-scc-to-user privileged system:serviceaccount:myproject:mysvcacct
Enable Images to Run with USER in the Dockerfile
To relax the security in your cluster so that images are not forced to run as a pre-allocated UID, without granting everyone access to the privileged SCC:
-
Grant all authenticated users access to the anyuid SCC:
$ oadm policy add-scc-to-group anyuid system:authenticated
This allows images to run as the root UID if no USER is specified in the Dockerfile. |
openshift不能跑nginx
the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
2016/09/23 15:58:10 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
https://github.com/minishift/minishift/issues/105
I solved this last issue by doing this:
$ oc edit scc anyuid
and add:
users:
- system:serviceaccount:default:default