Bug 1878573 - Cannot use oc debug command with normal user
Summary: Cannot use oc debug command with normal user
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.6
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 4.6.0
Assignee: Maciej Szulik
QA Contact: wewang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-14 02:11 UTC by wewang
Modified: 2020-09-14 11:59 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-14 11:59:01 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description wewang 2020-09-14 02:11:44 UTC
Description of problem:
When using oc debug build pod, has error about "unable to validate against any security context constraint"

Version-Release number of selected component (if applicable):
4.6.0-0.nightly-2020-09-12-230035

How reproducible:
already 

Steps to Reproduce:
1.Using normal user  to login openshift

2.Create an apps
$oc new-app openshift/ruby:2.5~https://github.com/openshift/ruby-hello-world

3.Run into build pod container
$ oc get pods
NAME                                READY   STATUS      RESTARTS   AGE
ruby-hello-world-1-build            0/1     Completed   0          2m53s
ruby-hello-world-74876787d7-xgqsz   1/1     Running     0          113s
$ oc debug pod/ruby-hello-world-1-build
Error from server (Forbidden): pods "ruby-hello-world-1-build-debug" is forbidden: unable to validate against any security context constraint: [spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]

Actual results:
Cannot login in build pod container

Expected results:
Should login in build pod container

Additional info:
If using admin, has no issue.

Comment 1 Maciej Szulik 2020-09-14 11:59:01 UTC
The errors says it all:

Error from server (Forbidden): pods "ruby-hello-world-1-build-debug" is forbidden: unable to validate against any security context constraint: [spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]

As a regular user you can't use hostPath and that is being used during the build process. You need to have extended privilege access in OpenShift to be able to use hostPath mounts. 
More info about it is here: https://docs.openshift.com/container-platform/4.5/storage/persistent_storage/persistent-storage-hostpath.html


Note You need to log in before you can comment on or make changes to this bug.