openshift跑app权限报错解决

理解scc sa

dc(sa)--pod,即定义dc时候指定使用哪个sa, 而sa可以加入到某个scc

https://blog.openshift.com/understanding-service-accounts-sccs/

openshift里多了scc概念.scc是security context constraints缩写.安全上下文约束.

简单讲就是授权的.  系统有一大堆权限,包含访问project的权限,访

问api的权限等.新建个用户后,酌情把这些权限授权他们.在我新建的

project ,demo-project里新建了个nginx. 报错.

如果对openshift scc不太熟,还一时半会真不好解决.

报错如下

参考:

https://docs.openshift.com/enterprise/3.2/admin_guide/manage_scc.html

https://github.com/openshift/openshift-docs/issues/1533 

解决:

Grant a Service Account Access to the Privileged SCC

First, create a service account. For example, to create service account mysvcacct in project myproject:

$ oc create serviceaccount mysvcacct -n myproject

Then, add the service account to the privileged SCC.

$ oadm policy add-scc-to-user privileged system:serviceaccount:myproject:mysvcacct

Enable Images to Run with USER in the Dockerfile

To relax the security in your cluster so that images are not forced to run as a pre-allocated UID, without granting everyone access to the privileged SCC:

1. Grant all authenticated users access to the anyuid SCC:

   $ oadm policy add-scc-to-group anyuid system:authenticated

This allows images to run as the root UID if no USER is specified in the Dockerfile.

openshift不能跑nginx

 

the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2

nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2

2016/09/23 15:58:10 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

 

https://github.com/minishift/minishift/issues/105

I solved this last issue by doing this:

$ oc edit scc anyuid

 

and add:

 

users:

- system:serviceaccount:default:default