Bug 1314260

Summary: Not able to login fluentd pod by "oc rsh" command
Product: OKD Reporter: Xia Zhao <xiazhao>
Component: LoggingAssignee: Luke Meyer <lmeyer>
Status: CLOSED CURRENTRELEASE QA Contact: chunchen <chunchen>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.xCC: aos-bugs, ewolinet, wsun, xiazhao
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-12 17:11:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Comment 1 Xia Zhao 2016-03-03 10:12:31 UTC 
More info:
1. I meant to log in the same fluentd container with "docker exec" command from docker backend in #1 of "Additional info:"
2. The other logging pods are all accessible by "oc rsh"
3. I already added this line in scc/privileged:
- system:serviceaccount:logging:aggregated-logging-fluentd
4. This test is done with cluster-admin role user
Comment 4 Luke Meyer 2016-03-03 15:37:16 UTC 
Eric created https://github.com/fabric8io/fluent-plugin-kubernetes_metadata_filter/issues/16

@xia can you test with fluentd K8S_HOST_URL=https://kubernetes.default.svc.cluster.local/ ?
Comment 5 Xia Zhao 2016-03-04 07:13:22 UTC 
@lmeyer 
Adding K8S_HOST_URL=https://kubernetes.default.svc.cluster.local/ did not enable me to shell into fluentd pod. I added the project admin user name into scc/privileged and then I was able to oc rsh into fluentd pod. 

I'm not quiet sure about how the ability to shell into a pod related with these rules in privileged scc:

oc edit scc/privileged
allowEmptyDirVolumePlugin: true
allowHostDirVolumePlugin: true
allowHostIPC: true
allowHostNetwork: true
allowHostPID: true
allowHostPorts: true
allowPrivilegedContainer: true
allowedCapabilities: null 

Seems we can add these info into the logging deployment doc to inform end user how should they do to enable themselves to shell into fluentd pod.
Comment 7 Xia Zhao 2016-03-07 06:34:06 UTC 
@ewolinet @lmeyer Sorry that I misunderstand you in my previous comment. Tested with K8S_HOST_URL=https://kubernetes.default.svc.cluster.local in fluentd deamonset and the error message "Connection refused" and error stacks in fluentd pod log disappeared.
Comment 8 Xia Zhao 2016-03-08 02:15:09 UTC 
Verified with latest images built from logging upstream. Closing as fixed.