PVC volumes are not allowed by default SCCs

[liggitt]

persistant volume claim volumes are not allowed by default SCCs

That results in errors like this:

Error creating: pods "postgresql-1-" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.volumes[0]: Invalid value: "persistentVolumeClaim": persistentVolumeClaim volumes are not allowed to be used spec.containers[0].securityContext.volumes[0]: Invalid value: "persistentVolumeClaim": persistentVolumeClaim volumes are not allowed to be used]

Default allowed volumes should include persistentVolumeClaim

[smarterclayton]

We need to add a regular user PVC -> PV scenario to the test-end-to-end (so that merges are blocked on PVCs not working).

[jorgemoralespou]

In case someone steps into this issue and needs to workaround until the fix PR is merged:

Add persistentVolumeClaim to all the SCC volumes arrays.

[spolti]

Hi, is this bug related with this message: pods "docker-registry-1-" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.containers[0].securityContext.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used]

?

[pweil-]

@spolti - this error would've been persistentVolumeClaim volumes are not allowed to be used. Host paths are restricted by default in most SCCs since they provide direct access to the host. If you need to grant access to an elevated SCC you may use the oadm policy add-scc-to-user <scc name> <user name>

[sdodson]

ETA on v1.1.6 for this?

[smarterclayton]

Waiting to see what problems people hit this morning. Might be this
afternoon.

On Mon, Apr 4, 2016 at 1:34 PM, Scott Dodson [email protected]
wrote:

ETA on v1.1.6 for this?

—
You are receiving this because you commented.
Reply to this email directly or view it on GitHub
#8297 (comment)

[spolti]

@pweil Thanks.