Creating a privileged container in OpenShift

While trying to launch kubevirt containers in OpenShift, I continually tripped over problems regarding authorization.

Most looked like this:

 message: 'unable to create pods: pods "libvirt-3407864139-" is forbidden: unable
 to validate against any security context constraint: [spec.securityContext.hostNetwork:
 Invalid value: true: Host network is not allowed to be used spec.securityContext.hostPID:
 Invalid value: true: Host PID is not allowed to be used spec.securityContext.hostIPC:
 Invalid value: true: Host IPC is not allowed to be used securityContext.runAsUser:
 Invalid value: 0: UID on container libvirtd does not match required range. Found
 0, required min: 1000060000 max: 1000069999 spec.containers[0].securityContext.privileged:
 Invalid value: true: Privileged containers are not allowed spec.containers[0].securityContext.volumes[0]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.volumes[1]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.volumes[2]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.volumes[3]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.volumes[4]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.hostNetwork:
 Invalid value: true: Host network is not allowed to be used spec.containers[0].securityContext.containers[0].hostPort:
 Invalid value: 16509: Host ports are not allowed to be used spec.containers[0].securityContext.hostPID:
 Invalid value: true: Host PID is not allowed to be used spec.containers[0].securityContext.hostIPC:
 Invalid value: true: Host IPC is not allowed to be used securityContext.runAsUser:
 Invalid value: 0: UID on container virtlogd does not match required range. Found
 0, required min: 1000060000 max: 1000069999 spec.containers[1].securityContext.volumes[0]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[1].securityContext.volumes[1]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[1].securityContext.volumes[2]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[1].securityContext.volumes[3]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[1].securityContext.volumes[4]:
 Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[1].securityContext.hostNetwork:
 Invalid value: true: Host network is not allowed to be used spec.containers[1].securityContext.containers[0].hostPort:
 Invalid value: 16509: Host ports are not allowed to be used spec.containers[1].securityContext.hostPID:
 Invalid value: true: Host PID is not allowed to be used spec.containers[1].securityContext.hostIPC:
 Invalid value: true: Host IPC is not allowed to be used]'

I was scratching my head because I had granted my user the appropriate security context:

 

oc adm policy add-scc-to-user privileged -nkubevirt -z ayoung

But, it turns out, that as not the right user to specify.  What I really needed was the service user that Kuberenetes uses to actually run the pod.

I could specifically create a service user and grant it the appropraite security context like this (as the admin service user):

oc create serviceaccount -n kubevirt privilegeduser
oc adm policy add-scc-to-user privileged -nkubevirt -z privilegeduser

and then add the following to the pod declaration:

serviceAccountName:
  privilegeduser

Or, I could use the default user for creating pods in that domain:

(as the admin service user):

oc adm policy add-scc-to-user privileged -nkubevirt -z default

Both of these allow me to successfully launch pods where the containers use host networking and other privileged operations.

5 thoughts on “Creating a privileged container in OpenShift

  1. I’d be interested to see a write up on installing/using kubevirt and your experience/thoughts on it?

  2. Thanks this worked (oc adm policy add-scc-to-user privileged -nkubevirt -z default)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.