Bug 1878573

Summary: Cannot use oc debug command with normal user
Product: OpenShift Container Platform Reporter: wewang <wewang>
Component: ocAssignee: Maciej Szulik <maszulik>
Status: CLOSED NOTABUG QA Contact: wewang <wewang>
Severity: low Docs Contact:
Priority: low    
Version: 4.6CC: aos-bugs, jokerman, mfojtik
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-14 11:59:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description wewang 2020-09-14 02:11:44 UTC 
Description of problem:
When using oc debug build pod, has error about "unable to validate against any security context constraint"

Version-Release number of selected component (if applicable):
4.6.0-0.nightly-2020-09-12-230035

How reproducible:
already 

Steps to Reproduce:
1.Using normal user  to login openshift

2.Create an apps
$oc new-app openshift/ruby:2.5~https://github.com/openshift/ruby-hello-world

3.Run into build pod container
$ oc get pods
NAME                                READY   STATUS      RESTARTS   AGE
ruby-hello-world-1-build            0/1     Completed   0          2m53s
ruby-hello-world-74876787d7-xgqsz   1/1     Running     0          113s
$ oc debug pod/ruby-hello-world-1-build
Error from server (Forbidden): pods "ruby-hello-world-1-build-debug" is forbidden: unable to validate against any security context constraint: [spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]

Actual results:
Cannot login in build pod container

Expected results:
Should login in build pod container

Additional info:
If using admin, has no issue.
Comment 1 Maciej Szulik 2020-09-14 11:59:01 UTC 
The errors says it all:

Error from server (Forbidden): pods "ruby-hello-world-1-build-debug" is forbidden: unable to validate against any security context constraint: [spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]

As a regular user you can't use hostPath and that is being used during the build process. You need to have extended privilege access in OpenShift to be able to use hostPath mounts. 
More info about it is here: https://docs.openshift.com/container-platform/4.5/storage/persistent_storage/persistent-storage-hostpath.html