additional permission steps in openshift for running applications #1084
Conversation
|
/lgtm |
|
@debianmaster @linsun Could you resolve the merge conflicts so we can push this PR in? Thanks. |
|
I will send a PR in next 1-2 days
…On Thu, May 10, 2018 at 11:06 Martin Taillefer ***@***.***> wrote:
@debianmaster <https://github.com/debianmaster> @linsun
<https://github.com/linsun> Could you resolve the merge conflicts so we
can push this PR in?
Thanks.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1084 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABX1wXJ_wjdTuiPU9giG45e85olg1C3Vks5tw67MgaJpZM4S2eeH>
.
|
| $ oc adm policy add-scc-to-user anyuid -z prometheus -n istio-system | ||
| ``` | ||
|
|
||
| ```bash |
There was a problem hiding this comment.
Please use command instead of bash, and put a $ in front of each command-line.
| Service account that runs application pods need privileged security context constraints as part of sidecar injection. | ||
|
|
||
| ```command | ||
| $ oc adm policy add-scc-to-user privileged -z default -n <target-namespace> | ||
| ``` | ||
|
|
||
| Note:- Check for selinux [discussion](https://github.com/istio/issues/issues/34) w.r.t istio in case you see issues bringing up envoy sidecar. |
There was a problem hiding this comment.
istio -> Istio
w.r.t -> with respect to
bringing up envoy -> bringing up the Envoy
There was a problem hiding this comment.
thanks, i will keep this in mind for next time.
|
Please ping when all comments are resolved. thanks. |
|
@linsun can you please verify now. test failed on |
|
@linsun gentle reminder |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: debianmaster, linsun The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
can you check why test failed in circle? |
|
also update branch :) |
* zh-translation: /blog/2018/egress-monitoring-access-control (#1024) * fix path * fix path for blog * fix path for metrics * fix path * add anchor * fix anchor * delayering-istio (#1034) * incremental-traffic-management (#1101) * fix error * fix anchor * traffix (#1056) * routing (#1080) * twitch (#1084) * aws-nlb (#1085)
for istio on openshift , workloads/addons needed additional permissions to run istio pods with uid 0
due to changes in istio latest release service account names are changed as follows
istio-grafana-service-accounttografanaistio-prometheus-service-accounttoprometheusThis commit updates openshift related setup steps to latest service account names.
also by default openshift denies privileged containers which is needed as part of sidecar deployment, hence to bypass that error.
oc adm policy add-scc-to-user privileged -z default -n <target-namespace>