理解scc sa

dc(sa)--pod,即定義dc時候指定使用哪個sa, 而sa可以加入到某個scc

https://blog.openshift.com/understanding-service-accounts-sccs/

簡單講就是授權的.  系統有一大堆許可權,包含訪問project的許可權,訪

問api的許可權等.新建個使用者後,酌情把這些許可權授權他們.在我新建的

project ,demo-project裡新建了個nginx. 報錯.

如果對openshift scc不太熟,還一時半會真不好解決.

報錯如下

參考:

https://docs.openshift.com/enterprise/3.2/admin_guide/manage_scc.html

Grant a Service Account Access to the Privileged SCC

First, create a service account. For example, to create service account mysvcacct in project myproject:

$ oc create serviceaccount mysvcacct -n myproject

Then, add the service account to the privileged

$ oadm policy add-scc-to-user privileged system:serviceaccount:myproject:mysvcacct

Enable Images to Run with USER in the Dockerfile

To relax the security in your cluster so that images are not forced to run as a pre-allocated UID, without granting everyone access to the privileged SCC:

1. Grant all authenticated users access to the anyuid SCC:

   $ oadm policy add-scc-to-group anyuid system:authenticated

openshift不能跑nginx

the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2

nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2

2016/09/23 15:58:10 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

I solved this last issue by doing this:

$ oc edit scc anyuid

and add:

users:

- system:serviceaccount:default:default