openshift里多了scc概念.scc是security
context constraints缩写.安全上下文约束.
简单讲就是授权的. 系统有一大堆权限,包含访问project的权限,访
问api的权限等.新建个用户后,酌情把这些权限授权他们.在我新建的
project ,demo-project里新建了个nginx. 报错.
参考:
https://docs.openshift.com/enterprise/3.2/admin_guide/manage_scc.html
https://github.com/openshift/openshift-docs/issues/1533
解决:
Grant a Service Account Access to the Privileged SCC
First, create a service account. For
example, to create service account mysvcacct in
project myproject:
$ oc create serviceaccount mysvcacct -n myproject
Then, add the service account to the privileged SCC.
$ oadm policy add-scc-to-user privileged system:serviceaccount:myproject:mysvcacct
Enable
Images to Run with USER in the Dockerfile
To relax the security in your cluster so that images are not forced to run as a pre-allocated UID, without granting everyone access to the privileged SCC:
Grant all authenticated users access to the anyuid SCC:
$ oadm policy add-scc-to-group anyuid system:authenticated
– This allows images to run as the root UID if no USER is specified in the Dockerfile.