Hide Forgot
Description of problem: when send api to post PodSecurityPolicyReview with specific serviceaccount which have been granted as admin for the namespace, got "status": { "allowedServiceAccounts": null } Version-Release number of selected component (if applicable): devenv-rhel7_5161 How reproducible: wjiang Steps to Reproduce: 1. Grant serviceaccount default as admin for the namespace 2. Send api to post PodSecurityPolicyReview { "kind": "PodSecurityPolicyReview", "apiVersion": "v1", "metadata": { "name": "pspsr" }, "spec": { "template": { "spec": { "containers": [ { "name": "hello-openshift", "image": "aosqe/hello-openshift", "ports": [ { "containerPort": 8080, "protocol": "TCP" } ], "resources": { }, "volumeMounts": [ { "name": "tmp", "mountPath": "/tmp" } ], "terminationMessagePath": "/dev/termination-log", "imagePullPolicy": "IfNotPresent", "securityContext": { "capabilities": { }, "privileged": false } } ], "volumes": [ { "name": "tmp", "emptyDir": { } } ], "restartPolicy": "Always", "dnsPolicy": "ClusterFirst", "serviceAccountName": "default" } }, "serviceAccountNames": [ "default" ] }, "status": { } } curl -k -H "Authorization: Bearer `oc whoami -t`" "https://localhost:8443/oapi/v1/namespaces/wjiang/podsecuritypolicyreviews" -X POST -d @pspsr -H "Content-Type: application/json" 3. Check the return json Actual results: { "kind": "PodSecurityPolicyReview", "apiVersion": "v1", "spec": { "template": { "metadata": { "creationTimestamp": null }, "spec": { "volumes": [ { "name": "tmp", "emptyDir": {} } ], "containers": [ { "name": "hello-openshift", "image": "aosqe/hello-openshift", "ports": [ { "containerPort": 8080, "protocol": "TCP" } ], "resources": {}, "volumeMounts": [ { "name": "tmp", "mountPath": "/tmp" } ], "terminationMessagePath": "/dev/termination-log", "imagePullPolicy": "IfNotPresent", "securityContext": { "capabilities": {}, "privileged": false } } ], "restartPolicy": "Always", "terminationGracePeriodSeconds": 30, "dnsPolicy": "ClusterFirst", "serviceAccountName": "default", "serviceAccount": "default", "securityContext": {} } }, "serviceAccountNames": [ "default" ] }, "status": { "allowedServiceAccounts": null } } Expected results: The serviceaccount default should be in the allowedServiceAccounts list. Additional info:
To keep consistent with other SAR endpoints a user needs to specify both user and groups to get reasonable information back. [1] explicitly states you need to specify both to get proper answer in the light of username and the groups he's in. [1] https://github.com/openshift/origin/blob/125ed10fa7103f46c5aa1593210ca0e1d417ea4b/pkg/security/api/types.go#L27-L29 I'm moving this back to ON_QA.
To properly verify which SCC are applied you first need to assign SCC to SA, eg.: oadm policy add-scc-to-user restricted system:serviceaccount:<project name>:default and then invoke the curl to PSPR which should return that information. By default, the default SA contains only the secrets and tokens to pull images.
When specify both user and groups, could get reasonable information back.