Add `privileged` SCC to SA in OpenShift DevStack

In containerized OpenShift deployments we're not attaching `privileged` SCC to `kuryr-controller` SA created by DevStack plugin. This causes kuryr-controller Deployment and kuryr-cni DaemonSet to fail as `kuryr-controller` SA lacks permissions to run privileged containers. This commit solves that by using `oadm` to attach the SCC to SA. Change-Id: I2c827cd986a17e08c94558c852b4a225cfe057a6 Closes-Bug: 1759287 (cherry picked from commit 08ce565051)
2018-03-27 16:14:36 +02:00 · 2018-03-27 16:14:36 +02:00 · 5b9b4fcf66
parent a14520b83e
commit 5b9b4fcf66
1 changed files with 5 additions and 0 deletions
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -143,6 +143,11 @@ function run_containerized_kuryr_resources {
    /usr/local/bin/kubectl create -f \
        "${k8s_data_dir}/service_account.yml" \
        || die $LINENO "Failed to create kuryr-kubernetes ServiceAccount."
+
+    if is_service_enabled openshift-master; then
+        # NOTE(dulek): For OpenShift add privileged SCC to serviceaccount.
+        /usr/local/bin/oadm policy add-scc-to-user privileged -n kube-system -z kuryr-controller
+    fi
    /usr/local/bin/kubectl create -f \
        "${k8s_data_dir}/controller_deployment.yml" \
        || die $LINENO "Failed to create kuryr-kubernetes Deployment."