OpenShift - Resolve "hostPath volumes are not allowed to be used"

Let's say you update a container in a deployment to mount a local directory.

~]$ oc set volume deployment my-deployment --add --type hostPath --path /usr/local/my-files
info: Generated volume name: volume-879rj
deployment.apps/my-deployment volume updated

 

And the following is being returned.

forbidden: 
unable to validate against any security context constraint: [spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used

 

This can occur when the deployment is associated with a User, Group or Service Account and a Security Context Constraint that does not allow local directories to be mounted. In this example, the deployment is associated with Service Account my-service-account and my-service-account is using the anyuid Security Context Contraint.

~]# oc get deployment my-deployment --output yaml | oc adm policy scc-review --filename - 
RESOURCE                    SERVICE ACCOUNT       ALLOWED BY         
Deployment/my-deployment    my-service-account    anyuid

 

The anyuid Security Context Contraint does not allow local directories to be mounted in a deployment.

  • anyuid - Same as the "restricted" Security Context Constraint but allows a pod to be run by any UID or GID.
  • hostaccess - Allows access to all host namespaces but still requires pods to be run with a UID and SELinux context that are allocated to the namespace.
  • hostmount-anyuid - Same as the "restricted" Security Context Constraint but allows host mounts and running as any UID and any GID on the system.
  • hostnetwork - Allows using host networking and host ports but still requires pods to be run with a UID and SELinux context that are allocated to the namespace.
  • nonroot - Same as the "restricted" Security Context Constraint but allows users to run with any non-root UID. The user must specify the UID or it must be specified in the manifest of the container runtime.
  • privileged - Allows:
    • Users to run privileged pods
    • Pods to mount host directories as volumes
    • Pods to run as any user
    • Pods to run with any MCS label
    • Pods to use the host’s IPC namespace
    • Pods to use the host’s PID namespace
    • Pods to use any FSGroup
    • Pods to use any supplemental group
    • Pods to use any seccomp profiles
    • Pods to request any capabilities
  • restricted - Denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. This is the most restrictive SCC provided by a new installation and will be used by default for authenticated users.
    • Pods cannot run as privileged
    • Pods cannot mount host directory volumes
    • Requires that a pod is run as a user in a pre-allocated range of UIDs
    • Requires that a pod is run with a pre-allocated MCS label
    • Allows pods to use any FSGroup
    • Allows pods to use any supplemental group



Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter e73a2 in the box below so that we can be sure you are a human.