Creating a privileged container in OpenShift

While trying to launch kubevirt containers in OpenShift, I continually tripped over problems regarding authorization.

Most looked like this:

 message: 'unable to create pods: pods "libvirt-3407864139-" is forbidden: unable
 to validate against any security context constraint: [spec.securityContext.hostNetwork:
 Invalid value: true: Host network is not allowed to be used spec.securityContext.hostPID:
 Invalid value: true: Host PID is not allowed to be used spec.securityContext.hostIPC:
 Invalid value: true: Host IPC is not allowed to be used securityContext.runAsUser:
 Invalid value: 0: UID on container libvirtd does not match required range. Found
 0, required min: 1000060000 max: 1000069999 spec.containers[0].securityContext.privileged:
 Invalid value: true: Privileged containers are not allowed spec.containers[0].securityContext.volumes[0]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.volumes[1]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.volumes[2]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.volumes[3]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.volumes[4]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.hostNetwork:
 Invalid value: true: Host network is not allowed to be used spec.containers[0].securityContext.containers[0].hostPort:
 Invalid value: 16509: Host ports are not allowed to be used spec.containers[0].securityContext.hostPID:
 Invalid value: true: Host PID is not allowed to be used spec.containers[0].securityContext.hostIPC:
 Invalid value: true: Host IPC is not allowed to be used securityContext.runAsUser:
 Invalid value: 0: UID on container virtlogd does not match required range. Found
 0, required min: 1000060000 max: 1000069999 spec.containers[1].securityContext.volumes[0]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[1].securityContext.volumes[1]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[1].securityContext.volumes[2]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[1].securityContext.volumes[3]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[1].securityContext.volumes[4]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[1].securityContext.hostNetwork:
 Invalid value: true: Host network is not allowed to be used spec.containers[1].securityContext.containers[0].hostPort:
 Invalid value: 16509: Host ports are not allowed to be used spec.containers[1].securityContext.hostPID:
 Invalid value: true: Host PID is not allowed to be used spec.containers[1].securityContext.hostIPC:
 Invalid value: true: Host IPC is not allowed to be used]'

message: 'unable to create pods: pods "libvirt-3407864139-" is forbidden: unable to validate against any security context constraint: [spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.securityContext.hostIPC: Invalid value: true: Host IPC is not allowed to be used securityContext.runAsUser: Invalid value: 0: UID on container libvirtd does not match required range. Found 0, required min: 1000060000 max: 1000069999 spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.containers[0].securityContext.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.volumes[3]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.volumes[4]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 16509: Host ports are not allowed to be used spec.containers[0].securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.containers[0].securityContext.hostIPC: Invalid value: true: Host IPC is not allowed to be used securityContext.runAsUser: Invalid value: 0: UID on container virtlogd does not match required range. Found 0, required min: 1000060000 max: 1000069999 spec.containers[1].securityContext.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[1].securityContext.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[1].securityContext.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[1].securityContext.volumes[3]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[1].securityContext.volumes[4]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[1].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[1].securityContext.containers[0].hostPort: Invalid value: 16509: Host ports are not allowed to be used spec.containers[1].securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.containers[1].securityContext.hostIPC: Invalid value: true: Host IPC is not allowed to be used]'

I was scratching my head because I had granted my user the appropriate security context:

oc adm policy add-scc-to-user privileged -nkubevirt -z ayoung

But, it turns out, that as not the right user to specify.Â What I really needed was the service user that Kuberenetes uses to actually run the pod.

I could specifically create a service user and grant it the appropraite security context like this (as the admin service user):

oc create serviceaccount -n kubevirt privilegeduser
oc adm policy add-scc-to-user privileged -nkubevirt -z privilegeduser

and then add the following to the pod declaration:

serviceAccountName:
  privilegeduser

Or, I could use the default user for creating pods in that domain:

(as the admin service user):

oc adm policy add-scc-to-user privileged -nkubevirt -z default

Both of these allow me to successfully launch pods where the containers use host networking and other privileged operations.

5 thoughts on “Creating a privileged container in OpenShift”

Dave on June 8, 2017 at 3:38 am said:

I’d be interested to see a write up on installing/using kubevirt and your experience/thoughts on it?
Adam Young on June 8, 2017 at 10:30 am said:

Working on it. Trying to work out all of the bugs on installing it on OpenShift first.
Ben Tremblay on September 25, 2019 at 11:22 am said:

Thanks for posting this!
RafaTM on April 22, 2020 at 9:32 am said:

Thanks a lot !
ishswar on June 5, 2020 at 5:48 pm said:

Thanks this worked (oc adm policy add-scc-to-user privileged -nkubevirt -z default)