Hide Forgot
Description of problem: cannot create a pod with projected volume plugin after 'oc login', pod can be created successful after add 'projected' in scc/restricted volume policy. Version-Release number of selected component (if applicable): oc v3.6.67 kubernetes v1.6.1+5115d708d7 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://host-8-174-4.host.centralci.eng.rdu2.redhat.com:8443 openshift v3.6.67 kubernetes v1.6.1+5115d708d How reproducible: Always Steps to Reproduce: 1. Login in by `oc login --server`, and create a new project 2. Create a secret and a configmap with below yaml: $ cat secret.yaml apiVersion: v1 kind: Secret metadata: name: test-secret data: data-1: dmFsdWUtMQ0K data-2: dmFsdWUtMg0KDQo= $ cat configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: special-config data: special.how: very special.type: charm 3. Try to create a pod with all-in-one volume # cat allinone-normal-pod.yaml apiVersion: v1 kind: Pod metadata: name: allinone-normal labels: region: one spec: containers: - name: allinone-normal image: redis resources: limits: cpu: "500m" memory: "256Mi" volumeMounts: - name: all-in-one mountPath: "/all-in-one" readOnly: true volumes: - name: all-in-one projected: sources: - secret: name: test-secret items: - key: data-1 path: mysecret/my-username - key: data-2 path: mysecret/my-passwd - downwardAPI: items: - path: mydapi/labels fieldRef: fieldPath: metadata.labels - path: mydapi/name fieldRef: fieldPath: metadata.name - path: mydapi/cpu_limit resourceFieldRef: containerName: allinone-normal resource: limits.cpu divisor: "1m" - configMap: name: special-config items: - key: special.how path: myconfigmap/shared-config - key: special.type path: myconfigmap/private-config Actual results: 3. Pod was created failed. $ oc create -f allinone-permission-mode-pod.yaml Error from server (Forbidden): error when creating "allinone-permission-mode-pod.yaml": pods "allinone-permission-mode" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.volumes[0]: Invalid value: "projected": projected volumes are not allowed to be used] Expected results: 3. Pod should be created successful, and project secrets, configmap and downward API into the same volume with normal keys and path addition info: Pod can be created successful after add 'projected' in scc/restricted volume policy. # oc get scc | grep "^restricted" restricted false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
Double confirm in online dev-preview-int, same issue. Change bug to online.
I cut a patch for this: https://github.com/openshift/origin/pull/14136
Latest here: https://github.com/openshift/origin/pull/14147
Verified and passed on openshift v3.6.133
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188