Description of problem: The pod's Sgid was always 0, not corresponding to the project supplemental-groups range Version-Release number of selected component (if applicable): oc v1.0.6-622-g47d1103 kubernetes v1.1.0-alpha.1-653-g86b4e77 AMI:qe_devenv-rhel7_2467 How reproducible: always Steps to Reproduce: 1. Create a new project, check the project info: oc new-project zhouy Now using project "zhouy" on server "https://localhost:8443". [root@ip-172-18-4-110 amd64]# oc get project zhouy -o json { "kind": "Project", "apiVersion": "v1", "metadata": { "name": "zhouy", "selfLink": "/oapi/v1/projects/zhouy", "uid": "2cf2573d-7302-11e5-bf1c-0e6de9bf13fb", "resourceVersion": "254", "creationTimestamp": "2015-10-15T06:01:28Z", "annotations": { "openshift.io/description": "", "openshift.io/display-name": "", "openshift.io/sa.scc.mcs": "s0:c6,c0", "openshift.io/sa.scc.supplemental-groups": "1000030000/10000", "openshift.io/sa.scc.uid-range": "1000030000/10000" } }, "spec": { "finalizers": [ "openshift.io/origin", "kubernetes" ] }, "status": { "phase": "Active" } } 2. Create pod does not specify the supplemental-groups; 3. Create pod with specify the supplemental-group id is :1000030999 4. Check the pod info Actual results: After step2\3 all the pod Sgid were always 0: oc exec -p hello-pod id uid=1000030000 gid=0(root) groups=0(root) Expected results: If not specify the supplemental-group, the default Sgid should be the min value of "openshift.io/sa.scc.supplemental-groups"; If specify the supplemental-group and in the range of "openshift.io/sa.scc.supplemental-groups", the Sgid should be the specified num. Additional info: { "kind": "Pod", "apiVersion":"v1", "metadata": { "name": "hello-pod", "labels": { "name": "hello-pod" } }, "spec": { "containers": [{ "name": "hello-pod", "image": "bmeng/hello-openshift", "ports": [ { "containerPort": 80 } ], "securityCountext":{ "supplementalGroups":[ 1000030999 ] } }] } }
I assume you were testing this with my branch that does the defaulting and assignment. Can you do a couple of things: 1. docker inspect <pod> and look for the add groups field and ensure it was passed along? 2. if the pod description is from oc get pod <name> post creation it looks like the admission is working correctly. 3. can you ensure you are testing with docker 1.8+ with the supplemental group patches (Sami - email below or Paul Morie can help with that)? If you are using an earlier version your docker will either ignore the add groups OR fail trying to look up /etc/groups
The docker version is :1.7.1, should not a bug.