On https://console-openshift-console.apps.ocp.ci.centos.org within fedora-ci-jenkins-prod project we are able to create privileged containers, but it looks like I don't have permission to connect to it using either web UI or oc tool.
I get errors such as:
Error from server (Forbidden): pods "fedora-scratch-build-pipeline-508-rc0h8-d36wq-t1q44" is forbidden: exec operation is not allowed because the pod's security context exceeds your permissions: pods "fedora-scratch-build-pipeline-508-rc0h8-d36wq-t1q44" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed
This makes harder to debug some problems with our jobs.
Metadata Update from @dkirwan: - Issue assigned to dkirwan
@bgoncalv can you try authenticate with the service account as mentioned on IRC, try the following:
oc sa get-token <service-account-name> TOKEN oc login https://api.ocp.ci.centos.org:6443 --token=TOKEN
Metadata Update from @dkirwan: - Issue priority set to: None (was: Needs Review) - Issue tagged with: centos-ci-infra, low-gain, low-trouble
thanks, I'm able to connect to the container after login with SA
I had to also provide view access to the service account.
view
oc policy add-role-to-user view system:serviceaccount:NAMESPACE:SERVICEACCOUNTNAME
Metadata Update from @dkirwan: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.