I'm trying to run elasticsearch container in my openshift project.
I got errors:
Privileged containers are not allowed capabilities.add: Invalid value: "IPC_LOCK": capability may not be added capabilities.add: Invalid value: "SYS_RESOURCE": capability may not be added
I've found out that you need to add privileged scc to user account (or create own dedicated one).
I've tried to follow docu https://docs.openshift.com/container-platform/3.4/admin_guide/manage_scc.html where the following commands are given:
oc create serviceaccount mysvcacct -n myproject
oc adm policy add-scc-to-user privileged system:serviceaccount:myproject:mysvcacct
However, no single clue is given what is mysvcacct and why it is called mysvcacct.
Because my project is called logging, I've tried the following:
oc create serviceaccount logging -n logging
oc adm policy add-scc-to-user privileged system:serviceaccount:logging:logging
but it didn't change anything. I keep getting the same error.
What I'm missing there? What name should I use instead of mysvcacct?
FYI, I introduce the example of yaml format.
ServiceAccount name using oc patch dc/your-deploymentConfigName cmd as follows.# oc patch dc/elasticsearch --patch '{"spec":{"template":{"spec":{"serviceAccountName": "logging"}}}}'oc edit dc/your-deploymentConfigName, take a look around serviceAccountName.# oc edit dc/elasticsearch
...
spec:
containers:
- image: docker-registry.default.svc:5000/test/...
imagePullPolicy: Always
name: web
ports:
- containerPort: 8080
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: logging
serviceAccountName: logging