Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

admission denies cluster-admin from exec into build pod #16092

Closed
stevekuznetsov opened this issue Aug 31, 2017 · 31 comments
Closed

admission denies cluster-admin from exec into build pod #16092

stevekuznetsov opened this issue Aug 31, 2017 · 31 comments
Assignees
@php-coder @derekwaynecarr @simo5
Labels
area/security area/usability kind/bug Categorizes issue or PR as related to a bug. priority/P2 sig/security

Comments

@stevekuznetsov
Copy link
Contributor

stevekuznetsov commented Aug 31, 2017
edited

Trying to oc exec into a build pod I see this:

Error from server (Forbidden): pods "kube-state-metrics-binary-10-build" is forbidden:
  exec operation is not allowed because the pod's security context exceeds your permissions:
    pods "kube-state-metrics-binary-10-build" is forbidden:
      unable to validate against any security context constraint: [
        provider restricted: .spec.initContainers[0].securityContext.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used
        provider restricted: .spec.initContainers[1].securityContext.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used
        provider restricted: .spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed
        provider restricted: .spec.containers[0].securityContext.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used
      ]

Running on the CI cluster:

$ oc version
oc v3.7.0-alpha.0+ff11ac6-545
kubernetes v1.7.0+695f48a16f
features: Basic-Auth

Server https://api.ci.openshift.org:443
openshift v3.7.0-alpha.1+70fcade-21
kubernetes v1.7.0+695f48a16f
oc get scc 
apiVersion: v1
items:
- allowHostDirVolumePlugin: false
  allowHostIPC: false
  allowHostNetwork: false
  allowHostPID: false
  allowHostPorts: false
  allowPrivilegedContainer: false
  allowedCapabilities: []
  apiVersion: v1
  defaultAddCapabilities: []
  fsGroup:
    type: RunAsAny
  groups:
  - system:cluster-admins
  kind: SecurityContextConstraints
  metadata:
    annotations:
      kubernetes.io/description: anyuid provides all features of the restricted SCC
        but allows users to run with any UID and any GID.
    creationTimestamp: null
    name: anyuid
  priority: 10
  readOnlyRootFilesystem: false
  requiredDropCapabilities:
  - MKNOD
  - SYS_CHROOT
  runAsUser:
    type: RunAsAny
  seLinuxContext:
    type: MustRunAs
  supplementalGroups:
    type: RunAsAny
  volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - persistentVolumeClaim
  - projected
  - secret
- allowHostDirVolumePlugin: true
  allowHostIPC: true
  allowHostNetwork: true
  allowHostPID: true
  allowHostPorts: true
  allowPrivilegedContainer: false
  allowedCapabilities: []
  apiVersion: v1
  defaultAddCapabilities: []
  fsGroup:
    type: MustRunAs
  kind: SecurityContextConstraints
  metadata:
    annotations:
      kubernetes.io/description: 'hostaccess allows access to all host namespaces
        but still requires pods to be run with a UID and SELinux context that are
        allocated to the namespace. WARNING: this SCC allows host access to namespaces,
        file systems, and PIDS.  It should only be used by trusted pods.  Grant with
        caution.'
    creationTimestamp: null
    name: hostaccess
  priority: null
  readOnlyRootFilesystem: false
  requiredDropCapabilities: []
  runAsUser:
    type: MustRunAsRange
  seLinuxContext:
    type: MustRunAs
  supplementalGroups:
    type: RunAsAny
  volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - hostPath
  - persistentVolumeClaim
  - projected
  - secret
- allowHostDirVolumePlugin: true
  allowHostIPC: false
  allowHostNetwork: false
  allowHostPID: false
  allowHostPorts: false
  allowPrivilegedContainer: false
  allowedCapabilities: []
  apiVersion: v1
  defaultAddCapabilities: []
  fsGroup:
    type: RunAsAny
  kind: SecurityContextConstraints
  metadata:
    annotations:
      kubernetes.io/description: 'hostmount-anyuid provides all the features of the
        restricted SCC but allows host mounts and any UID by a pod.  This is primarily
        used by the persistent volume recycler. WARNING: this SCC allows host file
        system access as any UID, including UID 0.  Grant with caution.'
    creationTimestamp: null
    name: hostmount-anyuid
  priority: null
  readOnlyRootFilesystem: false
  requiredDropCapabilities: []
  runAsUser:
    type: RunAsAny
  seLinuxContext:
    type: MustRunAs
  supplementalGroups:
    type: RunAsAny
  users:
  - system:serviceaccount:openshift-infra:pv-recycler-controller
  volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - hostPath
  - nfs
  - persistentVolumeClaim
  - projected
  - secret
- allowHostDirVolumePlugin: false
  allowHostIPC: false
  allowHostNetwork: true
  allowHostPID: false
  allowHostPorts: true
  allowPrivilegedContainer: false
  allowedCapabilities: []
  apiVersion: v1
  defaultAddCapabilities: []
  fsGroup:
    type: MustRunAs
  kind: SecurityContextConstraints
  metadata:
    annotations:
      kubernetes.io/description: hostnetwork allows using host networking and host
        ports but still requires pods to be run with a UID and SELinux context that
        are allocated to the namespace.
    creationTimestamp: null
    name: hostnetwork
  priority: null
  readOnlyRootFilesystem: false
  requiredDropCapabilities:
  - KILL
  - MKNOD
  - SYS_CHROOT
  - SETUID
  - SETGID
  runAsUser:
    type: MustRunAsRange
  seLinuxContext:
    type: MustRunAs
  supplementalGroups:
    type: MustRunAs
  users:
  - system:serviceaccount:default:router
  - system:serviceaccount:default:registry
  volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - persistentVolumeClaim
  - projected
  - secret
- allowHostDirVolumePlugin: false
  allowHostIPC: false
  allowHostNetwork: false
  allowHostPID: false
  allowHostPorts: false
  allowPrivilegedContainer: false
  allowedCapabilities: []
  apiVersion: v1
  defaultAddCapabilities: []
  fsGroup:
    type: RunAsAny
  kind: SecurityContextConstraints
  metadata:
    annotations:
      kubernetes.io/description: nonroot provides all features of the restricted SCC
        but allows users to run with any non-root UID.  The user must specify the
        UID or it must be specified on the by the manifest of the container runtime.
    creationTimestamp: null
    name: nonroot
  priority: null
  readOnlyRootFilesystem: false
  requiredDropCapabilities: []
  runAsUser:
    type: MustRunAsNonRoot
  seLinuxContext:
    type: MustRunAs
  supplementalGroups:
    type: RunAsAny
  volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - persistentVolumeClaim
  - projected
  - secret
- allowHostDirVolumePlugin: true
  allowHostIPC: true
  allowHostNetwork: true
  allowHostPID: true
  allowHostPorts: true
  allowPrivilegedContainer: true
  allowedCapabilities:
  - '*'
  apiVersion: v1
  defaultAddCapabilities: []
  fsGroup:
    type: RunAsAny
  groups:
  - system:cluster-admins
  - system:nodes
  kind: SecurityContextConstraints
  metadata:
    annotations:
      kubernetes.io/description: 'privileged allows access to all privileged and host
        features and the ability to run as any user, any group, any fsGroup, and with
        any SELinux context.  WARNING: this is the most relaxed SCC and should be
        used only for cluster administration. Grant with caution.'
    creationTimestamp: null
    name: privileged
  priority: null
  readOnlyRootFilesystem: false
  requiredDropCapabilities: []
  runAsUser:
    type: RunAsAny
  seLinuxContext:
    type: RunAsAny
  seccompProfiles:
  - '*'
  supplementalGroups:
    type: RunAsAny
  users:
  - system:serviceaccount:openshift-infra:build-controller
  - system:serviceaccount:management-infra:management-admin
  - system:serviceaccount:management-infra:inspector-admin
  volumes:
  - '*'
- allowHostDirVolumePlugin: false
  allowHostIPC: false
  allowHostNetwork: false
  allowHostPID: false
  allowHostPorts: false
  allowPrivilegedContainer: false
  allowedCapabilities: []
  apiVersion: v1
  defaultAddCapabilities: []
  fsGroup:
    type: MustRunAs
  groups:
  - system:authenticated
  kind: SecurityContextConstraints
  metadata:
    annotations:
      kubernetes.io/description: restricted denies access to all host features and
        requires pods to be run with a UID, and SELinux context that are allocated
        to the namespace.  This is the most restrictive SCC and it is used by default
        for authenticated users.
    creationTimestamp: null
    name: restricted
  priority: null
  readOnlyRootFilesystem: false
  requiredDropCapabilities:
  - KILL
  - MKNOD
  - SYS_CHROOT
  - SETUID
  - SETGID
  runAsUser:
    type: MustRunAsRange
  seLinuxContext:
    type: MustRunAs
  supplementalGroups:
    type: RunAsAny
  volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - persistentVolumeClaim
  - projected
  - secret
kind: List
metadata: {}
oc exec kube-state-metrics-binary-10-build --as system:admin --loglevel 9001 -- ls 
I0831 13:24:02.747431   15282 loader.go:357] Config loaded from file /home/skuznets/.kube/config
I0831 13:24:02.749134   15282 round_trippers.go:386] curl -k -v -XGET  -H "Accept: application/json, */*" -H "Impersonate-User: system:admin" -H "User-Agent: oc/v1.7.0+695f48a16f (linux/amd64) kubernetes/d2e5420" -H "Authorization: Bearer QMLOhJxp1_B3rFd_8jqB9V8sVXrLm9EGKii0SIf1V0U" https://api.ci.openshift.org:443/api/v1/namespaces/ci/pods/kube-state-metrics-binary-10-build
I0831 13:24:03.031384   15282 round_trippers.go:405] GET https://api.ci.openshift.org:443/api/v1/namespaces/ci/pods/kube-state-metrics-binary-10-build 200 OK in 282 milliseconds
I0831 13:24:03.031403   15282 round_trippers.go:411] Response Headers:
I0831 13:24:03.031408   15282 round_trippers.go:414]     Cache-Control: no-store
I0831 13:24:03.031413   15282 round_trippers.go:414]     Content-Type: application/json
I0831 13:24:03.031418   15282 round_trippers.go:414]     Date: Thu, 31 Aug 2017 20:24:03 GMT
I0831 13:24:03.070665   15282 request.go:994] Response Body: {"kind":"Pod","apiVersion":"v1","metadata":{"name":"kube-state-metrics-binary-10-build","namespace":"ci","selfLink":"/api/v1/namespaces/ci/pods/kube-state-metrics-binary-10-build","uid":"4317c656-8e8a-11e7-bd36-42010a800002","resourceVersion":"220311","creationTimestamp":"2017-08-31T20:23:34Z","labels":{"openshift.io/build.name":"kube-state-metrics-binary-10"},"annotations":{"openshift.io/build.name":"kube-state-metrics-binary-10","openshift.io/scc":"privileged","pod.alpha.kubernetes.io/init-container-statuses":"[{\"name\":\"git-clone\",\"state\":{\"terminated\":{\"exitCode\":0,\"reason\":\"Completed\",\"startedAt\":\"2017-08-31T20:23:35Z\",\"finishedAt\":\"2017-08-31T20:23:36Z\",\"containerID\":\"docker://d20b540a969b9f208642ef7bbe4a780407e4a788a4c627700bc1ecb3a2b07b25\"}},\"lastState\":{},\"ready\":true,\"restartCount\":0,\"image\":\"docker.io/openshift/origin-docker-builder:v3.7.0-alpha.1\",\"imageID\":\"docker-pullable://docker.io/openshift/origin-docker-builder@sha256:c4dca63126070c48a22f4f73e182669334688e58e1c6ba32ee772beb523644ca\",\"containerID\":\"docker://d20b540a969b9f208642ef7bbe4a780407e4a788a4c627700bc1ecb3a2b07b25\"},{\"name\":\"manage-dockerfile\",\"state\":{\"terminated\":{\"exitCode\":0,\"reason\":\"Completed\",\"startedAt\":\"2017-08-31T20:23:37Z\",\"finishedAt\":\"2017-08-31T20:23:38Z\",\"containerID\":\"docker://1d15d83fe207db678ed237ced7ced662d6cbb466bcdf6e5edaa23c35c658a20d\"}},\"lastState\":{},\"ready\":true,\"restartCount\":0,\"image\":\"docker.io/openshift/origin-docker-builder:v3.7.0-alpha.1\",\"imageID\":\"docker-pullable://docker.io/openshift/origin-docker-builder@sha256:c4dca63126070c48a22f4f73e182669334688e58e1c6ba32ee772beb523644ca\",\"containerID\":\"docker://1d15d83fe207db678ed237ced7ced662d6cbb466bcdf6e5edaa23c35c658a20d\"}]","pod.alpha.kubernetes.io/init-containers":"[{\"name\":\"git-clone\",\"image\":\"openshift/origin-docker-builder:v3.7.0-alpha.1\",\"command\":[\"openshift-git-clone\"],\"args\":[\"--loglevel=0\"],\"env\":[{\"name\":\"BUILD\",\"value\":\"{\\\"kind\\\":\\\"Build\\\",\\\"apiVersion\\\":\\\"v1\\\",\\\"metadata\\\":{\\\"name\\\":\\\"kube-state-metrics-binary-10\\\",\\\"namespace\\\":\\\"ci\\\",\\\"selfLink\\\":\\\"/apis/build.openshift.io/v1/namespaces/ci/builds/kube-state-metrics-binary-10\\\",\\\"uid\\\":\\\"4311c0c5-8e8a-11e7-bd36-42010a800002\\\",\\\"resourceVersion\\\":\\\"220273\\\",\\\"creationTimestamp\\\":\\\"2017-08-31T20:23:33Z\\\",\\\"labels\\\":{\\\"buildconfig\\\":\\\"kube-state-metrics-binary\\\",\\\"openshift.io/build-config.name\\\":\\\"kube-state-metrics-binary\\\",\\\"openshift.io/build.start-policy\\\":\\\"Serial\\\"},\\\"annotations\\\":{\\\"openshift.io/build-config.name\\\":\\\"kube-state-metrics-binary\\\",\\\"openshift.io/build.number\\\":\\\"10\\\"},\\\"ownerReferences\\\":[{\\\"apiVersion\\\":\\\"build.openshift.io/v1\\\",\\\"kind\\\":\\\"BuildConfig\\\",\\\"name\\\":\\\"kube-state-metrics-binary\\\",\\\"uid\\\":\\\"f7af0289-8dbf-11e7-85db-42010a800002\\\",\\\"controller\\\":true}]},\\\"spec\\\":{\\\"serviceAccount\\\":\\\"builder\\\",\\\"source\\\":{\\\"type\\\":\\\"Git\\\",\\\"dockerfile\\\":\\\"FROM openshift/origin-release:golang-1.8\\\\nCOPY . /go/src/k8s.io/kube-state-metrics\\\\nRUN sleep 5000\\\\nRUN cd /go/src/k8s.io/kube-state-metrics \\\\u0026\\\\u0026 \\\\\\\\\\\\n    CGO_ENABLED=0 go build -a -tags netgo .\\\\n\\\",\\\"git\\\":{\\\"uri\\\":\\\"https://github.com/openshift/kube-state-metrics.git\\\"}},\\\"strategy\\\":{\\\"type\\\":\\\"Docker\\\",\\\"dockerStrategy\\\":{\\\"from\\\":{\\\"kind\\\":\\\"DockerImage\\\",\\\"name\\\":\\\"openshift/origin-release:golang-1.8\\\"},\\\"imageOptimizationPolicy\\\":\\\"SkipLayers\\\"}},\\\"output\\\":{\\\"to\\\":{\\\"kind\\\":\\\"DockerImage\\\",\\\"name\\\":\\\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\\\"},\\\"pushSecret\\\":{\\\"name\\\":\\\"builder-dockercfg-lw6bm\\\"}},\\\"resources\\\":{},\\\"postCommit\\\":{},\\\"nodeSelector\\\":null,\\\"triggeredBy\\\":[{\\\"message\\\":\\\"Manually triggered\\\"}]},\\\"status\\\":{\\\"phase\\\":\\\"New\\\",\\\"outputDockerImageReference\\\":\\\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\\\",\\\"config\\\":{\\\"kind\\\":\\\"BuildConfig\\\",\\\"namespace\\\":\\\"ci\\\",\\\"name\\\":\\\"kube-state-metrics-binary\\\"},\\\"output\\\":{}}}\\n\"},{\"name\":\"SOURCE_REPOSITORY\",\"value\":\"https://github.com/openshift/kube-state-metrics.git\"},{\"name\":\"SOURCE_URI\",\"value\":\"https://github.com/openshift/kube-state-metrics.git\"},{\"name\":\"ORIGIN_VERSION\",\"value\":\"v3.7.0-alpha.1+70fcade-21\"}],\"resources\":{},\"volumeMounts\":[{\"name\":\"buildworkdir\",\"mountPath\":\"/tmp/build\"},{\"name\":\"builder-token-0mgzn\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"FallbackToLogsOnError\",\"imagePullPolicy\":\"IfNotPresent\",\"securityContext\":{\"privileged\":false}},{\"name\":\"manage-dockerfile\",\"image\":\"openshift/origin-docker-builder:v3.7.0-alpha.1\",\"command\":[\"openshift-manage-dockerfile\"],\"args\":[\"--loglevel=0\"],\"env\":[{\"name\":\"BUILD\",\"value\":\"{\\\"kind\\\":\\\"Build\\\",\\\"apiVersion\\\":\\\"v1\\\",\\\"metadata\\\":{\\\"name\\\":\\\"kube-state-metrics-binary-10\\\",\\\"namespace\\\":\\\"ci\\\",\\\"selfLink\\\":\\\"/apis/build.openshift.io/v1/namespaces/ci/builds/kube-state-metrics-binary-10\\\",\\\"uid\\\":\\\"4311c0c5-8e8a-11e7-bd36-42010a800002\\\",\\\"resourceVersion\\\":\\\"220273\\\",\\\"creationTimestamp\\\":\\\"2017-08-31T20:23:33Z\\\",\\\"labels\\\":{\\\"buildconfig\\\":\\\"kube-state-metrics-binary\\\",\\\"openshift.io/build-config.name\\\":\\\"kube-state-metrics-binary\\\",\\\"openshift.io/build.start-policy\\\":\\\"Serial\\\"},\\\"annotations\\\":{\\\"openshift.io/build-config.name\\\":\\\"kube-state-metrics-binary\\\",\\\"openshift.io/build.number\\\":\\\"10\\\"},\\\"ownerReferences\\\":[{\\\"apiVersion\\\":\\\"build.openshift.io/v1\\\",\\\"kind\\\":\\\"BuildConfig\\\",\\\"name\\\":\\\"kube-state-metrics-binary\\\",\\\"uid\\\":\\\"f7af0289-8dbf-11e7-85db-42010a800002\\\",\\\"controller\\\":true}]},\\\"spec\\\":{\\\"serviceAccount\\\":\\\"builder\\\",\\\"source\\\":{\\\"type\\\":\\\"Git\\\",\\\"dockerfile\\\":\\\"FROM openshift/origin-release:golang-1.8\\\\nCOPY . /go/src/k8s.io/kube-state-metrics\\\\nRUN sleep 5000\\\\nRUN cd /go/src/k8s.io/kube-state-metrics \\\\u0026\\\\u0026 \\\\\\\\\\\\n    CGO_ENABLED=0 go build -a -tags netgo .\\\\n\\\",\\\"git\\\":{\\\"uri\\\":\\\"https://github.com/openshift/kube-state-metrics.git\\\"}},\\\"strategy\\\":{\\\"type\\\":\\\"Docker\\\",\\\"dockerStrategy\\\":{\\\"from\\\":{\\\"kind\\\":\\\"DockerImage\\\",\\\"name\\\":\\\"openshift/origin-release:golang-1.8\\\"},\\\"imageOptimizationPolicy\\\":\\\"SkipLayers\\\"}},\\\"output\\\":{\\\"to\\\":{\\\"kind\\\":\\\"DockerImage\\\",\\\"name\\\":\\\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\\\"},\\\"pushSecret\\\":{\\\"name\\\":\\\"builder-dockercfg-lw6bm\\\"}},\\\"resources\\\":{},\\\"postCommit\\\":{},\\\"nodeSelector\\\":null,\\\"triggeredBy\\\":[{\\\"message\\\":\\\"Manually triggered\\\"}]},\\\"status\\\":{\\\"phase\\\":\\\"New\\\",\\\"outputDockerImageReference\\\":\\\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\\\",\\\"config\\\":{\\\"kind\\\":\\\"BuildConfig\\\",\\\"namespace\\\":\\\"ci\\\",\\\"name\\\":\\\"kube-state-metrics-binary\\\"},\\\"output\\\":{}}}\\n\"},{\"name\":\"SOURCE_REPOSITORY\",\"value\":\"https://github.com/openshift/kube-state-metrics.git\"},{\"name\":\"SOURCE_URI\",\"value\":\"https://github.com/openshift/kube-state-metrics.git\"},{\"name\":\"ORIGIN_VERSION\",\"value\":\"v3.7.0-alpha.1+70fcade-21\"}],\"resources\":{},\"volumeMounts\":[{\"name\":\"buildworkdir\",\"mountPath\":\"/tmp/build\"},{\"name\":\"builder-token-0mgzn\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"FallbackToLogsOnError\",\"imagePullPolicy\":\"IfNotPresent\",\"securityContext\":{\"privileged\":false}}]","pod.beta.kubernetes.io/init-container-statuses":"[{\"name\":\"git-clone\",\"state\":{\"terminated\":{\"exitCode\":0,\"reason\":\"Completed\",\"startedAt\":\"2017-08-31T20:23:35Z\",\"finishedAt\":\"2017-08-31T20:23:36Z\",\"containerID\":\"docker://d20b540a969b9f208642ef7bbe4a780407e4a788a4c627700bc1ecb3a2b07b25\"}},\"lastState\":{},\"ready\":true,\"restartCount\":0,\"image\":\"docker.io/openshift/origin-docker-builder:v3.7.0-alpha.1\",\"imageID\":\"docker-pullable://docker.io/openshift/origin-docker-builder@sha256:c4dca63126070c48a22f4f73e182669334688e58e1c6ba32ee772beb523644ca\",\"containerID\":\"docker://d20b540a969b9f208642ef7bbe4a780407e4a788a4c627700bc1ecb3a2b07b25\"},{\"name\":\"manage-dockerfile\",\"state\":{\"terminated\":{\"exitCode\":0,\"reason\":\"Completed\",\"startedAt\":\"2017-08-31T20:23:37Z\",\"finishedAt\":\"2017-08-31T20:23:38Z\",\"containerID\":\"docker://1d15d83fe207db678ed237ced7ced662d6cbb466bcdf6e5edaa23c35c658a20d\"}},\"lastState\":{},\"ready\":true,\"restartCount\":0,\"image\":\"docker.io/openshift/origin-docker-builder:v3.7.0-alpha.1\",\"imageID\":\"docker-pullable://docker.io/openshift/origin-docker-builder@sha256:c4dca63126070c48a22f4f73e182669334688e58e1c6ba32ee772beb523644ca\",\"containerID\":\"docker://1d15d83fe207db678ed237ced7ced662d6cbb466bcdf6e5edaa23c35c658a20d\"}]","pod.beta.kubernetes.io/init-containers":"[{\"name\":\"git-clone\",\"image\":\"openshift/origin-docker-builder:v3.7.0-alpha.1\",\"command\":[\"openshift-git-clone\"],\"args\":[\"--loglevel=0\"],\"env\":[{\"name\":\"BUILD\",\"value\":\"{\\\"kind\\\":\\\"Build\\\",\\\"apiVersion\\\":\\\"v1\\\",\\\"metadata\\\":{\\\"name\\\":\\\"kube-state-metrics-binary-10\\\",\\\"namespace\\\":\\\"ci\\\",\\\"selfLink\\\":\\\"/apis/build.openshift.io/v1/namespaces/ci/builds/kube-state-metrics-binary-10\\\",\\\"uid\\\":\\\"4311c0c5-8e8a-11e7-bd36-42010a800002\\\",\\\"resourceVersion\\\":\\\"220273\\\",\\\"creationTimestamp\\\":\\\"2017-08-31T20:23:33Z\\\",\\\"labels\\\":{\\\"buildconfig\\\":\\\"kube-state-metrics-binary\\\",\\\"openshift.io/build-config.name\\\":\\\"kube-state-metrics-binary\\\",\\\"openshift.io/build.start-policy\\\":\\\"Serial\\\"},\\\"annotations\\\":{\\\"openshift.io/build-config.name\\\":\\\"kube-state-metrics-binary\\\",\\\"openshift.io/build.number\\\":\\\"10\\\"},\\\"ownerReferences\\\":[{\\\"apiVersion\\\":\\\"build.openshift.io/v1\\\",\\\"kind\\\":\\\"BuildConfig\\\",\\\"name\\\":\\\"kube-state-metrics-binary\\\",\\\"uid\\\":\\\"f7af0289-8dbf-11e7-85db-42010a800002\\\",\\\"controller\\\":true}]},\\\"spec\\\":{\\\"serviceAccount\\\":\\\"builder\\\",\\\"source\\\":{\\\"type\\\":\\\"Git\\\",\\\"dockerfile\\\":\\\"FROM openshift/origin-release:golang-1.8\\\\nCOPY . /go/src/k8s.io/kube-state-metrics\\\\nRUN sleep 5000\\\\nRUN cd /go/src/k8s.io/kube-state-metrics \\\\u0026\\\\u0026 \\\\\\\\\\\\n    CGO_ENABLED=0 go build -a -tags netgo .\\\\n\\\",\\\"git\\\":{\\\"uri\\\":\\\"https://github.com/openshift/kube-state-metrics.git\\\"}},\\\"strategy\\\":{\\\"type\\\":\\\"Docker\\\",\\\"dockerStrategy\\\":{\\\"from\\\":{\\\"kind\\\":\\\"DockerImage\\\",\\\"name\\\":\\\"openshift/origin-release:golang-1.8\\\"},\\\"imageOptimizationPolicy\\\":\\\"SkipLayers\\\"}},\\\"output\\\":{\\\"to\\\":{\\\"kind\\\":\\\"DockerImage\\\",\\\"name\\\":\\\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\\\"},\\\"pushSecret\\\":{\\\"name\\\":\\\"builder-dockercfg-lw6bm\\\"}},\\\"resources\\\":{},\\\"postCommit\\\":{},\\\"nodeSelector\\\":null,\\\"triggeredBy\\\":[{\\\"message\\\":\\\"Manually triggered\\\"}]},\\\"status\\\":{\\\"phase\\\":\\\"New\\\",\\\"outputDockerImageReference\\\":\\\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\\\",\\\"config\\\":{\\\"kind\\\":\\\"BuildConfig\\\",\\\"namespace\\\":\\\"ci\\\",\\\"name\\\":\\\"kube-state-metrics-binary\\\"},\\\"output\\\":{}}}\\n\"},{\"name\":\"SOURCE_REPOSITORY\",\"value\":\"https://github.com/openshift/kube-state-metrics.git\"},{\"name\":\"SOURCE_URI\",\"value\":\"https://github.com/openshift/kube-state-metrics.git\"},{\"name\":\"ORIGIN_VERSION\",\"value\":\"v3.7.0-alpha.1+70fcade-21\"}],\"resources\":{},\"volumeMounts\":[{\"name\":\"buildworkdir\",\"mountPath\":\"/tmp/build\"},{\"name\":\"builder-token-0mgzn\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"FallbackToLogsOnError\",\"imagePullPolicy\":\"IfNotPresent\",\"securityContext\":{\"privileged\":false}},{\"name\":\"manage-dockerfile\",\"image\":\"openshift/origin-docker-builder:v3.7.0-alpha.1\",\"command\":[\"openshift-manage-dockerfile\"],\"args\":[\"--loglevel=0\"],\"env\":[{\"name\":\"BUILD\",\"value\":\"{\\\"kind\\\":\\\"Build\\\",\\\"apiVersion\\\":\\\"v1\\\",\\\"metadata\\\":{\\\"name\\\":\\\"kube-state-metrics-binary-10\\\",\\\"namespace\\\":\\\"ci\\\",\\\"selfLink\\\":\\\"/apis/build.openshift.io/v1/namespaces/ci/builds/kube-state-metrics-binary-10\\\",\\\"uid\\\":\\\"4311c0c5-8e8a-11e7-bd36-42010a800002\\\",\\\"resourceVersion\\\":\\\"220273\\\",\\\"creationTimestamp\\\":\\\"2017-08-31T20:23:33Z\\\",\\\"labels\\\":{\\\"buildconfig\\\":\\\"kube-state-metrics-binary\\\",\\\"openshift.io/build-config.name\\\":\\\"kube-state-metrics-binary\\\",\\\"openshift.io/build.start-policy\\\":\\\"Serial\\\"},\\\"annotations\\\":{\\\"openshift.io/build-config.name\\\":\\\"kube-state-metrics-binary\\\",\\\"openshift.io/build.number\\\":\\\"10\\\"},\\\"ownerReferences\\\":[{\\\"apiVersion\\\":\\\"build.openshift.io/v1\\\",\\\"kind\\\":\\\"BuildConfig\\\",\\\"name\\\":\\\"kube-state-metrics-binary\\\",\\\"uid\\\":\\\"f7af0289-8dbf-11e7-85db-42010a800002\\\",\\\"controller\\\":true}]},\\\"spec\\\":{\\\"serviceAccount\\\":\\\"builder\\\",\\\"source\\\":{\\\"type\\\":\\\"Git\\\",\\\"dockerfile\\\":\\\"FROM openshift/origin-release:golang-1.8\\\\nCOPY . /go/src/k8s.io/kube-state-metrics\\\\nRUN sleep 5000\\\\nRUN cd /go/src/k8s.io/kube-state-metrics \\\\u0026\\\\u0026 \\\\\\\\\\\\n    CGO_ENABLED=0 go build -a -tags netgo .\\\\n\\\",\\\"git\\\":{\\\"uri\\\":\\\"https://github.com/openshift/kube-state-metrics.git\\\"}},\\\"strategy\\\":{\\\"type\\\":\\\"Docker\\\",\\\"dockerStrategy\\\":{\\\"from\\\":{\\\"kind\\\":\\\"DockerImage\\\",\\\"name\\\":\\\"openshift/origin-release:golang-1.8\\\"},\\\"imageOptimizationPolicy\\\":\\\"SkipLayers\\\"}},\\\"output\\\":{\\\"to\\\":{\\\"kind\\\":\\\"DockerImage\\\",\\\"name\\\":\\\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\\\"},\\\"pushSecret\\\":{\\\"name\\\":\\\"builder-dockercfg-lw6bm\\\"}},\\\"resources\\\":{},\\\"postCommit\\\":{},\\\"nodeSelector\\\":null,\\\"triggeredBy\\\":[{\\\"message\\\":\\\"Manually triggered\\\"}]},\\\"status\\\":{\\\"phase\\\":\\\"New\\\",\\\"outputDockerImageReference\\\":\\\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\\\",\\\"config\\\":{\\\"kind\\\":\\\"BuildConfig\\\",\\\"namespace\\\":\\\"ci\\\",\\\"name\\\":\\\"kube-state-metrics-binary\\\"},\\\"output\\\":{}}}\\n\"},{\"name\":\"SOURCE_REPOSITORY\",\"value\":\"https://github.com/openshift/kube-state-metrics.git\"},{\"name\":\"SOURCE_URI\",\"value\":\"https://github.com/openshift/kube-state-metrics.git\"},{\"name\":\"ORIGIN_VERSION\",\"value\":\"v3.7.0-alpha.1+70fcade-21\"}],\"resources\":{},\"volumeMounts\":[{\"name\":\"buildworkdir\",\"mountPath\":\"/tmp/build\"},{\"name\":\"builder-token-0mgzn\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"FallbackToLogsOnError\",\"imagePullPolicy\":\"IfNotPresent\",\"securityContext\":{\"privileged\":false}}]"},"ownerReferences":[{"apiVersion":"build.openshift.io/v1","kind":"Build","name":"kube-state-metrics-binary-10","uid":"4311c0c5-8e8a-11e7-bd36-42010a800002","controller":true}]},"spec":{"volumes":[{"name":"buildworkdir","emptyDir":{"sizeLimit":"0"}},{"name":"docker-socket","hostPath":{"path":"/var/run/docker.sock"}},{"name":"builder-dockercfg-lw6bm-push","secret":{"secretName":"builder-dockercfg-lw6bm","defaultMode":384}},{"name":"builder-token-0mgzn","secret":{"secretName":"builder-token-0mgzn","defaultMode":420}}],"initContainers":[{"name":"git-clone","image":"openshift/origin-docker-builder:v3.7.0-alpha.1","command":["openshift-git-clone"],"args":["--loglevel=0"],"env":[{"name":"BUILD","value":"{\"kind\":\"Build\",\"apiVersion\":\"v1\",\"metadata\":{\"name\":\"kube-state-metrics-binary-10\",\"namespace\":\"ci\",\"selfLink\":\"/apis/build.openshift.io/v1/namespaces/ci/builds/kube-state-metrics-binary-10\",\"uid\":\"4311c0c5-8e8a-11e7-bd36-42010a800002\",\"resourceVersion\":\"220273\",\"creationTimestamp\":\"2017-08-31T20:23:33Z\",\"labels\":{\"buildconfig\":\"kube-state-metrics-binary\",\"openshift.io/build-config.name\":\"kube-state-metrics-binary\",\"openshift.io/build.start-policy\":\"Serial\"},\"annotations\":{\"openshift.io/build-config.name\":\"kube-state-metrics-binary\",\"openshift.io/build.number\":\"10\"},\"ownerReferences\":[{\"apiVersion\":\"build.openshift.io/v1\",\"kind\":\"BuildConfig\",\"name\":\"kube-state-metrics-binary\",\"uid\":\"f7af0289-8dbf-11e7-85db-42010a800002\",\"controller\":true}]},\"spec\":{\"serviceAccount\":\"builder\",\"source\":{\"type\":\"Git\",\"dockerfile\":\"FROM openshift/origin-release:golang-1.8\\nCOPY . /go/src/k8s.io/kube-state-metrics\\nRUN sleep 5000\\nRUN cd /go/src/k8s.io/kube-state-metrics \\u0026\\u0026 \\\\\\n    CGO_ENABLED=0 go build -a -tags netgo .\\n\",\"git\":{\"uri\":\"https://github.com/openshift/kube-state-metrics.git\"}},\"strategy\":{\"type\":\"Docker\",\"dockerStrategy\":{\"from\":{\"kind\":\"DockerImage\",\"name\":\"openshift/origin-release:golang-1.8\"},\"imageOptimizationPolicy\":\"SkipLayers\"}},\"output\":{\"to\":{\"kind\":\"DockerImage\",\"name\":\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\"},\"pushSecret\":{\"name\":\"builder-dockercfg-lw6bm\"}},\"resources\":{},\"postCommit\":{},\"nodeSelector\":null,\"triggeredBy\":[{\"message\":\"Manually triggered\"}]},\"status\":{\"phase\":\"New\",\"outputDockerImageReference\":\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\",\"config\":{\"kind\":\"BuildConfig\",\"namespace\":\"ci\",\"name\":\"kube-state-metrics-binary\"},\"output\":{}}}\n"},{"name":"SOURCE_REPOSITORY","value":"https://github.com/openshift/kube-state-metrics.git"},{"name":"SOURCE_URI","value":"https://github.com/openshift/kube-state-metrics.git"},{"name":"ORIGIN_VERSION","value":"v3.7.0-alpha.1+70fcade-21"}],"resources":{},"volumeMounts":[{"name":"buildworkdir","mountPath":"/tmp/build"},{"name":"builder-token-0mgzn","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"FallbackToLogsOnError","imagePullPolicy":"IfNotPresent","securityContext":{"privileged":false}},{"name":"manage-dockerfile","image":"openshift/origin-docker-builder:v3.7.0-alpha.1","command":["openshift-manage-dockerfile"],"args":["--loglevel=0"],"env":[{"name":"BUILD","value":"{\"kind\":\"Build\",\"apiVersion\":\"v1\",\"metadata\":{\"name\":\"kube-state-metrics-binary-10\",\"namespace\":\"ci\",\"selfLink\":\"/apis/build.openshift.io/v1/namespaces/ci/builds/kube-state-metrics-binary-10\",\"uid\":\"4311c0c5-8e8a-11e7-bd36-42010a800002\",\"resourceVersion\":\"220273\",\"creationTimestamp\":\"2017-08-31T20:23:33Z\",\"labels\":{\"buildconfig\":\"kube-state-metrics-binary\",\"openshift.io/build-config.name\":\"kube-state-metrics-binary\",\"openshift.io/build.start-policy\":\"Serial\"},\"annotations\":{\"openshift.io/build-config.name\":\"kube-state-metrics-binary\",\"openshift.io/build.number\":\"10\"},\"ownerReferences\":[{\"apiVersion\":\"build.openshift.io/v1\",\"kind\":\"BuildConfig\",\"name\":\"kube-state-metrics-binary\",\"uid\":\"f7af0289-8dbf-11e7-85db-42010a800002\",\"controller\":true}]},\"spec\":{\"serviceAccount\":\"builder\",\"source\":{\"type\":\"Git\",\"dockerfile\":\"FROM openshift/origin-release:golang-1.8\\nCOPY . /go/src/k8s.io/kube-state-metrics\\nRUN sleep 5000\\nRUN cd /go/src/k8s.io/kube-state-metrics \\u0026\\u0026 \\\\\\n    CGO_ENABLED=0 go build -a -tags netgo .\\n\",\"git\":{\"uri\":\"https://github.com/openshift/kube-state-metrics.git\"}},\"strategy\":{\"type\":\"Docker\",\"dockerStrategy\":{\"from\":{\"kind\":\"DockerImage\",\"name\":\"openshift/origin-release:golang-1.8\"},\"imageOptimizationPolicy\":\"SkipLayers\"}},\"output\":{\"to\":{\"kind\":\"DockerImage\",\"name\":\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\"},\"pushSecret\":{\"name\":\"builder-dockercfg-lw6bm\"}},\"resources\":{},\"postCommit\":{},\"nodeSelector\":null,\"triggeredBy\":[{\"message\":\"Manually triggered\"}]},\"status\":{\"phase\":\"New\",\"outputDockerImageReference\":\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\",\"config\":{\"kind\":\"BuildConfig\",\"namespace\":\"ci\",\"name\":\"kube-state-metrics-binary\"},\"output\":{}}}\n"},{"name":"SOURCE_REPOSITORY","value":"https://github.com/openshift/kube-state-metrics.git"},{"name":"SOURCE_URI","value":"https://github.com/openshift/kube-state-metrics.git"},{"name":"ORIGIN_VERSION","value":"v3.7.0-alpha.1+70fcade-21"}],"resources":{},"volumeMounts":[{"name":"buildworkdir","mountPath":"/tmp/build"},{"name":"builder-token-0mgzn","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"FallbackToLogsOnError","imagePullPolicy":"IfNotPresent","securityContext":{"privileged":false}}],"containers":[{"name":"docker-build","image":"openshift/origin-docker-builder:v3.7.0-alpha.1","command":["openshift-docker-build"],"args":["--loglevel=0"],"env":[{"name":"BUILD","value":"{\"kind\":\"Build\",\"apiVersion\":\"v1\",\"metadata\":{\"name\":\"kube-state-metrics-binary-10\",\"namespace\":\"ci\",\"selfLink\":\"/apis/build.openshift.io/v1/namespaces/ci/builds/kube-state-metrics-binary-10\",\"uid\":\"4311c0c5-8e8a-11e7-bd36-42010a800002\",\"resourceVersion\":\"220273\",\"creationTimestamp\":\"2017-08-31T20:23:33Z\",\"labels\":{\"buildconfig\":\"kube-state-metrics-binary\",\"openshift.io/build-config.name\":\"kube-state-metrics-binary\",\"openshift.io/build.start-policy\":\"Serial\"},\"annotations\":{\"openshift.io/build-config.name\":\"kube-state-metrics-binary\",\"openshift.io/build.number\":\"10\"},\"ownerReferences\":[{\"apiVersion\":\"build.openshift.io/v1\",\"kind\":\"BuildConfig\",\"name\":\"kube-state-metrics-binary\",\"uid\":\"f7af0289-8dbf-11e7-85db-42010a800002\",\"controller\":true}]},\"spec\":{\"serviceAccount\":\"builder\",\"source\":{\"type\":\"Git\",\"dockerfile\":\"FROM openshift/origin-release:golang-1.8\\nCOPY . /go/src/k8s.io/kube-state-metrics\\nRUN sleep 5000\\nRUN cd /go/src/k8s.io/kube-state-metrics \\u0026\\u0026 \\\\\\n    CGO_ENABLED=0 go build -a -tags netgo .\\n\",\"git\":{\"uri\":\"https://github.com/openshift/kube-state-metrics.git\"}},\"strategy\":{\"type\":\"Docker\",\"dockerStrategy\":{\"from\":{\"kind\":\"DockerImage\",\"name\":\"openshift/origin-release:golang-1.8\"},\"imageOptimizationPolicy\":\"SkipLayers\"}},\"output\":{\"to\":{\"kind\":\"DockerImage\",\"name\":\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\"},\"pushSecret\":{\"name\":\"builder-dockercfg-lw6bm\"}},\"resources\":{},\"postCommit\":{},\"nodeSelector\":null,\"triggeredBy\":[{\"message\":\"Manually triggered\"}]},\"status\":{\"phase\":\"New\",\"outputDockerImageReference\":\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\",\"config\":{\"kind\":\"BuildConfig\",\"namespace\":\"ci\",\"name\":\"kube-state-metrics-binary\"},\"output\":{}}}\n"},{"name":"SOURCE_REPOSITORY","value":"https://github.com/openshift/kube-state-metrics.git"},{"name":"SOURCE_URI","value":"https://github.com/openshift/kube-state-metrics.git"},{"name":"ORIGIN_VERSION","value":"v3.7.0-alpha.1+70fcade-21"},{"name":"PUSH_DOCKERCFG_PATH","value":"/var/run/secrets/openshift.io/push"}],"resources":{},"volumeMounts":[{"name":"buildworkdir","mountPath":"/tmp/build"},{"name":"docker-socket","mountPath":"/var/run/docker.sock"},{"name":"builder-dockercfg-lw6bm-push","readOnly":true,"mountPath":"/var/run/secrets/openshift.io/push"},{"name":"builder-token-0mgzn","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"FallbackToLogsOnError","imagePullPolicy":"IfNotPresent","securityContext":{"privileged":true}}],"restartPolicy":"Never","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","nodeSelector":{"role":"app"},"serviceAccountName":"builder","serviceAccount":"builder","nodeName":"origin-ci-ig-n-3hjt","securityContext":{},"imagePullSecrets":[{"name":"builder-dockercfg-lw6bm"}],"schedulerName":"default-scheduler"},"status":{"phase":"Running","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2017-08-31T20:23:38Z"},{"type":"Ready","status":"True","lastProbeTime":null,"lastTransitionTime":"2017-08-31T20:23:39Z"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2017-08-31T20:23:34Z"}],"hostIP":"10.128.0.12","podIP":"172.16.0.16","startTime":"2017-08-31T20:23:34Z","initContainerStatuses":[{"name":"git-clone","state":{"terminated":{"exitCode":0,"reason":"Completed","startedAt":"2017-08-31T20:23:35Z","finishedAt":"2017-08-31T20:23:36Z","containerID":"docker://d20b540a969b9f208642ef7bbe4a780407e4a788a4c627700bc1ecb3a2b07b25"}},"lastState":{},"ready":true,"restartCount":0,"image":"docker.io/openshift/origin-docker-builder:v3.7.0-alpha.1","imageID":"docker-pullable://docker.io/openshift/origin-docker-builder@sha256:c4dca63126070c48a22f4f73e182669334688e58e1c6ba32ee772beb523644ca","containerID":"docker://d20b540a969b9f208642ef7bbe4a780407e4a788a4c627700bc1ecb3a2b07b25"},{"name":"manage-dockerfile","state":{"terminated":{"exitCode":0,"reason":"Completed","startedAt":"2017-08-31T20:23:37Z","finishedAt":"2017-08-31T20:23:38Z","containerID":"docker://1d15d83fe207db678ed237ced7ced662d6cbb466bcdf6e5edaa23c35c658a20d"}},"lastState":{},"ready":true,"restartCount":0,"image":"docker.io/openshift/origin-docker-builder:v3.7.0-alpha.1","imageID":"docker-pullable://docker.io/openshift/origin-docker-builder@sha256:c4dca63126070c48a22f4f73e182669334688e58e1c6ba32ee772beb523644ca","containerID":"docker://1d15d83fe207db678ed237ced7ced662d6cbb466bcdf6e5edaa23c35c658a20d"}],"containerStatuses":[{"name":"docker-build","state":{"running":{"startedAt":"2017-08-31T20:23:38Z"}},"lastState":{},"ready":true,"restartCount":0,"image":"docker.io/openshift/origin-docker-builder:v3.7.0-alpha.1","imageID":"docker-pullable://docker.io/openshift/origin-docker-builder@sha256:c4dca63126070c48a22f4f73e182669334688e58e1c6ba32ee772beb523644ca","containerID":"docker://2e50a80959ac4a02a849a464b721fb0c0a2d1cda0968d912090dd56fe2207077"}],"qosClass":"BestEffort"}}
I0831 13:24:03.072172   15282 round_trippers.go:386] curl -k -v -XPOST  -H "X-Stream-Protocol-Version: v4.channel.k8s.io" -H "X-Stream-Protocol-Version: v3.channel.k8s.io" -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" https://api.ci.openshift.org:443/api/v1/namespaces/ci/pods/kube-state-metrics-binary-10-build/exec?command=ls&container=docker-build&container=docker-build&stderr=true&stdout=true
I0831 13:24:03.072202   15282 round_trippers.go:386] curl -k -v -XPOST  -H "X-Stream-Protocol-Version: v4.channel.k8s.io" -H "X-Stream-Protocol-Version: v3.channel.k8s.io" -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" -H "Impersonate-User: system:admin" -H "User-Agent: oc/v1.7.0+695f48a16f (linux/amd64) kubernetes/d2e5420" -H "Authorization: Bearer QMLOhJxp1_B3rFd_8jqB9V8sVXrLm9EGKii0SIf1V0U" https://api.ci.openshift.org:443/api/v1/namespaces/ci/pods/kube-state-metrics-binary-10-build/exec?command=ls&container=docker-build&container=docker-build&stderr=true&stdout=true
I0831 13:24:03.373373   15282 round_trippers.go:405] POST https://api.ci.openshift.org:443/api/v1/namespaces/ci/pods/kube-state-metrics-binary-10-build/exec?command=ls&container=docker-build&container=docker-build&stderr=true&stdout=true 403 Forbidden in 301 milliseconds
I0831 13:24:03.373412   15282 round_trippers.go:411] Response Headers:
I0831 13:24:03.373429   15282 round_trippers.go:414]     Cache-Control: no-store
I0831 13:24:03.373437   15282 round_trippers.go:414]     Content-Type: application/json
I0831 13:24:03.373443   15282 round_trippers.go:414]     Date: Thu, 31 Aug 2017 20:24:03 GMT
I0831 13:24:03.373448   15282 round_trippers.go:414]     Content-Length: 1014
I0831 13:24:03.373456   15282 round_trippers.go:405] POST https://api.ci.openshift.org:443/api/v1/namespaces/ci/pods/kube-state-metrics-binary-10-build/exec?command=ls&container=docker-build&container=docker-build&stderr=true&stdout=true 403 Forbidden in 301 milliseconds
I0831 13:24:03.373464   15282 round_trippers.go:411] Response Headers:
I0831 13:24:03.373469   15282 round_trippers.go:414]     Cache-Control: no-store
I0831 13:24:03.373475   15282 round_trippers.go:414]     Content-Type: application/json
I0831 13:24:03.373480   15282 round_trippers.go:414]     Date: Thu, 31 Aug 2017 20:24:03 GMT
I0831 13:24:03.373486   15282 round_trippers.go:414]     Content-Length: 1014
I0831 13:24:03.373884   15282 helpers.go:206] server response object: [{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "pods \"kube-state-metrics-binary-10-build\" is forbidden: exec operation is not allowed because the pod's security context exceeds your permissions: pods \"kube-state-metrics-binary-10-build\" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.initContainers[0].securityContext.volumes[1]: Invalid value: \"hostPath\": hostPath volumes are not allowed to be used provider restricted: .spec.initContainers[1].securityContext.volumes[1]: Invalid value: \"hostPath\": hostPath volumes are not allowed to be used provider restricted: .spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed provider restricted: .spec.containers[0].securityContext.volumes[1]: Invalid value: \"hostPath\": hostPath volumes are not allowed to be used]",
  "reason": "Forbidden",
  "details": {
    "name": "kube-state-metrics-binary-10-build",
    "kind": "pods"
  },
  "code": 403
}]
F0831 13:24:03.373927   15282 helpers.go:120] Error from server (Forbidden): pods "kube-state-metrics-binary-10-build" is forbidden: exec operation is not allowed because the pod's security context exceeds your permissions: pods "kube-state-metrics-binary-10-build" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.initContainers[0].securityContext.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used provider restricted: .spec.initContainers[1].securityContext.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used provider restricted: .spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed provider restricted: .spec.containers[0].securityContext.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used]
oc get pod kube-state-metrics-binary-10-build -o yaml 
apiVersion: v1
kind: Pod
metadata:
  annotations:
    openshift.io/build.name: kube-state-metrics-binary-10
    openshift.io/scc: privileged
    pod.alpha.kubernetes.io/init-container-statuses: '[{"name":"git-clone","state":{"terminated":{"exitCode":0,"reason":"Completed","startedAt":"2017-08-31T20:23:35Z","finishedAt":"2017-08-31T20:23:36Z","containerID":"docker://d20b540a969b9f208642ef7bbe4a780407e4a788a4c627700bc1ecb3a2b07b25"}},"lastState":{},"ready":true,"restartCount":0,"image":"docker.io/openshift/origin-docker-builder:v3.7.0-alpha.1","imageID":"docker-pullable://docker.io/openshift/origin-docker-builder@sha256:c4dca63126070c48a22f4f73e182669334688e58e1c6ba32ee772beb523644ca","containerID":"docker://d20b540a969b9f208642ef7bbe4a780407e4a788a4c627700bc1ecb3a2b07b25"},{"name":"manage-dockerfile","state":{"terminated":{"exitCode":0,"reason":"Completed","startedAt":"2017-08-31T20:23:37Z","finishedAt":"2017-08-31T20:23:38Z","containerID":"docker://1d15d83fe207db678ed237ced7ced662d6cbb466bcdf6e5edaa23c35c658a20d"}},"lastState":{},"ready":true,"restartCount":0,"image":"docker.io/openshift/origin-docker-builder:v3.7.0-alpha.1","imageID":"docker-pullable://docker.io/openshift/origin-docker-builder@sha256:c4dca63126070c48a22f4f73e182669334688e58e1c6ba32ee772beb523644ca","containerID":"docker://1d15d83fe207db678ed237ced7ced662d6cbb466bcdf6e5edaa23c35c658a20d"}]'
    pod.alpha.kubernetes.io/init-containers: '[{"name":"git-clone","image":"openshift/origin-docker-builder:v3.7.0-alpha.1","command":["openshift-git-clone"],"args":["--loglevel=0"],"env":[{"name":"BUILD","value":"{\"kind\":\"Build\",\"apiVersion\":\"v1\",\"metadata\":{\"name\":\"kube-state-metrics-binary-10\",\"namespace\":\"ci\",\"selfLink\":\"/apis/build.openshift.io/v1/namespaces/ci/builds/kube-state-metrics-binary-10\",\"uid\":\"4311c0c5-8e8a-11e7-bd36-42010a800002\",\"resourceVersion\":\"220273\",\"creationTimestamp\":\"2017-08-31T20:23:33Z\",\"labels\":{\"buildconfig\":\"kube-state-metrics-binary\",\"openshift.io/build-config.name\":\"kube-state-metrics-binary\",\"openshift.io/build.start-policy\":\"Serial\"},\"annotations\":{\"openshift.io/build-config.name\":\"kube-state-metrics-binary\",\"openshift.io/build.number\":\"10\"},\"ownerReferences\":[{\"apiVersion\":\"build.openshift.io/v1\",\"kind\":\"BuildConfig\",\"name\":\"kube-state-metrics-binary\",\"uid\":\"f7af0289-8dbf-11e7-85db-42010a800002\",\"controller\":true}]},\"spec\":{\"serviceAccount\":\"builder\",\"source\":{\"type\":\"Git\",\"dockerfile\":\"FROM
      openshift/origin-release:golang-1.8\\nCOPY . /go/src/k8s.io/kube-state-metrics\\nRUN
      sleep 5000\\nRUN cd /go/src/k8s.io/kube-state-metrics \\u0026\\u0026 \\\\\\n    CGO_ENABLED=0
      go build -a -tags netgo .\\n\",\"git\":{\"uri\":\"https://github.com/openshift/kube-state-metrics.git\"}},\"strategy\":{\"type\":\"Docker\",\"dockerStrategy\":{\"from\":{\"kind\":\"DockerImage\",\"name\":\"openshift/origin-release:golang-1.8\"},\"imageOptimizationPolicy\":\"SkipLayers\"}},\"output\":{\"to\":{\"kind\":\"DockerImage\",\"name\":\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\"},\"pushSecret\":{\"name\":\"builder-dockercfg-lw6bm\"}},\"resources\":{},\"postCommit\":{},\"nodeSelector\":null,\"triggeredBy\":[{\"message\":\"Manually
      triggered\"}]},\"status\":{\"phase\":\"New\",\"outputDockerImageReference\":\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\",\"config\":{\"kind\":\"BuildConfig\",\"namespace\":\"ci\",\"name\":\"kube-state-metrics-binary\"},\"output\":{}}}\n"},{"name":"SOURCE_REPOSITORY","value":"https://github.com/openshift/kube-state-metrics.git"},{"name":"SOURCE_URI","value":"https://github.com/openshift/kube-state-metrics.git"},{"name":"ORIGIN_VERSION","value":"v3.7.0-alpha.1+70fcade-21"}],"resources":{},"volumeMounts":[{"name":"buildworkdir","mountPath":"/tmp/build"},{"name":"builder-token-0mgzn","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"FallbackToLogsOnError","imagePullPolicy":"IfNotPresent","securityContext":{"privileged":false}},{"name":"manage-dockerfile","image":"openshift/origin-docker-builder:v3.7.0-alpha.1","command":["openshift-manage-dockerfile"],"args":["--loglevel=0"],"env":[{"name":"BUILD","value":"{\"kind\":\"Build\",\"apiVersion\":\"v1\",\"metadata\":{\"name\":\"kube-state-metrics-binary-10\",\"namespace\":\"ci\",\"selfLink\":\"/apis/build.openshift.io/v1/namespaces/ci/builds/kube-state-metrics-binary-10\",\"uid\":\"4311c0c5-8e8a-11e7-bd36-42010a800002\",\"resourceVersion\":\"220273\",\"creationTimestamp\":\"2017-08-31T20:23:33Z\",\"labels\":{\"buildconfig\":\"kube-state-metrics-binary\",\"openshift.io/build-config.name\":\"kube-state-metrics-binary\",\"openshift.io/build.start-policy\":\"Serial\"},\"annotations\":{\"openshift.io/build-config.name\":\"kube-state-metrics-binary\",\"openshift.io/build.number\":\"10\"},\"ownerReferences\":[{\"apiVersion\":\"build.openshift.io/v1\",\"kind\":\"BuildConfig\",\"name\":\"kube-state-metrics-binary\",\"uid\":\"f7af0289-8dbf-11e7-85db-42010a800002\",\"controller\":true}]},\"spec\":{\"serviceAccount\":\"builder\",\"source\":{\"type\":\"Git\",\"dockerfile\":\"FROM
      openshift/origin-release:golang-1.8\\nCOPY . /go/src/k8s.io/kube-state-metrics\\nRUN
      sleep 5000\\nRUN cd /go/src/k8s.io/kube-state-metrics \\u0026\\u0026 \\\\\\n    CGO_ENABLED=0
      go build -a -tags netgo .\\n\",\"git\":{\"uri\":\"https://github.com/openshift/kube-state-metrics.git\"}},\"strategy\":{\"type\":\"Docker\",\"dockerStrategy\":{\"from\":{\"kind\":\"DockerImage\",\"name\":\"openshift/origin-release:golang-1.8\"},\"imageOptimizationPolicy\":\"SkipLayers\"}},\"output\":{\"to\":{\"kind\":\"DockerImage\",\"name\":\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\"},\"pushSecret\":{\"name\":\"builder-dockercfg-lw6bm\"}},\"resources\":{},\"postCommit\":{},\"nodeSelector\":null,\"triggeredBy\":[{\"message\":\"Manually
      triggered\"}]},\"status\":{\"phase\":\"New\",\"outputDockerImageReference\":\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\",\"config\":{\"kind\":\"BuildConfig\",\"namespace\":\"ci\",\"name\":\"kube-state-metrics-binary\"},\"output\":{}}}\n"},{"name":"SOURCE_REPOSITORY","value":"https://github.com/openshift/kube-state-metrics.git"},{"name":"SOURCE_URI","value":"https://github.com/openshift/kube-state-metrics.git"},{"name":"ORIGIN_VERSION","value":"v3.7.0-alpha.1+70fcade-21"}],"resources":{},"volumeMounts":[{"name":"buildworkdir","mountPath":"/tmp/build"},{"name":"builder-token-0mgzn","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"FallbackToLogsOnError","imagePullPolicy":"IfNotPresent","securityContext":{"privileged":false}}]'
    pod.beta.kubernetes.io/init-container-statuses: '[{"name":"git-clone","state":{"terminated":{"exitCode":0,"reason":"Completed","startedAt":"2017-08-31T20:23:35Z","finishedAt":"2017-08-31T20:23:36Z","containerID":"docker://d20b540a969b9f208642ef7bbe4a780407e4a788a4c627700bc1ecb3a2b07b25"}},"lastState":{},"ready":true,"restartCount":0,"image":"docker.io/openshift/origin-docker-builder:v3.7.0-alpha.1","imageID":"docker-pullable://docker.io/openshift/origin-docker-builder@sha256:c4dca63126070c48a22f4f73e182669334688e58e1c6ba32ee772beb523644ca","containerID":"docker://d20b540a969b9f208642ef7bbe4a780407e4a788a4c627700bc1ecb3a2b07b25"},{"name":"manage-dockerfile","state":{"terminated":{"exitCode":0,"reason":"Completed","startedAt":"2017-08-31T20:23:37Z","finishedAt":"2017-08-31T20:23:38Z","containerID":"docker://1d15d83fe207db678ed237ced7ced662d6cbb466bcdf6e5edaa23c35c658a20d"}},"lastState":{},"ready":true,"restartCount":0,"image":"docker.io/openshift/origin-docker-builder:v3.7.0-alpha.1","imageID":"docker-pullable://docker.io/openshift/origin-docker-builder@sha256:c4dca63126070c48a22f4f73e182669334688e58e1c6ba32ee772beb523644ca","containerID":"docker://1d15d83fe207db678ed237ced7ced662d6cbb466bcdf6e5edaa23c35c658a20d"}]'
    pod.beta.kubernetes.io/init-containers: '[{"name":"git-clone","image":"openshift/origin-docker-builder:v3.7.0-alpha.1","command":["openshift-git-clone"],"args":["--loglevel=0"],"env":[{"name":"BUILD","value":"{\"kind\":\"Build\",\"apiVersion\":\"v1\",\"metadata\":{\"name\":\"kube-state-metrics-binary-10\",\"namespace\":\"ci\",\"selfLink\":\"/apis/build.openshift.io/v1/namespaces/ci/builds/kube-state-metrics-binary-10\",\"uid\":\"4311c0c5-8e8a-11e7-bd36-42010a800002\",\"resourceVersion\":\"220273\",\"creationTimestamp\":\"2017-08-31T20:23:33Z\",\"labels\":{\"buildconfig\":\"kube-state-metrics-binary\",\"openshift.io/build-config.name\":\"kube-state-metrics-binary\",\"openshift.io/build.start-policy\":\"Serial\"},\"annotations\":{\"openshift.io/build-config.name\":\"kube-state-metrics-binary\",\"openshift.io/build.number\":\"10\"},\"ownerReferences\":[{\"apiVersion\":\"build.openshift.io/v1\",\"kind\":\"BuildConfig\",\"name\":\"kube-state-metrics-binary\",\"uid\":\"f7af0289-8dbf-11e7-85db-42010a800002\",\"controller\":true}]},\"spec\":{\"serviceAccount\":\"builder\",\"source\":{\"type\":\"Git\",\"dockerfile\":\"FROM
      openshift/origin-release:golang-1.8\\nCOPY . /go/src/k8s.io/kube-state-metrics\\nRUN
      sleep 5000\\nRUN cd /go/src/k8s.io/kube-state-metrics \\u0026\\u0026 \\\\\\n    CGO_ENABLED=0
      go build -a -tags netgo .\\n\",\"git\":{\"uri\":\"https://github.com/openshift/kube-state-metrics.git\"}},\"strategy\":{\"type\":\"Docker\",\"dockerStrategy\":{\"from\":{\"kind\":\"DockerImage\",\"name\":\"openshift/origin-release:golang-1.8\"},\"imageOptimizationPolicy\":\"SkipLayers\"}},\"output\":{\"to\":{\"kind\":\"DockerImage\",\"name\":\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\"},\"pushSecret\":{\"name\":\"builder-dockercfg-lw6bm\"}},\"resources\":{},\"postCommit\":{},\"nodeSelector\":null,\"triggeredBy\":[{\"message\":\"Manually
      triggered\"}]},\"status\":{\"phase\":\"New\",\"outputDockerImageReference\":\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\",\"config\":{\"kind\":\"BuildConfig\",\"namespace\":\"ci\",\"name\":\"kube-state-metrics-binary\"},\"output\":{}}}\n"},{"name":"SOURCE_REPOSITORY","value":"https://github.com/openshift/kube-state-metrics.git"},{"name":"SOURCE_URI","value":"https://github.com/openshift/kube-state-metrics.git"},{"name":"ORIGIN_VERSION","value":"v3.7.0-alpha.1+70fcade-21"}],"resources":{},"volumeMounts":[{"name":"buildworkdir","mountPath":"/tmp/build"},{"name":"builder-token-0mgzn","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"FallbackToLogsOnError","imagePullPolicy":"IfNotPresent","securityContext":{"privileged":false}},{"name":"manage-dockerfile","image":"openshift/origin-docker-builder:v3.7.0-alpha.1","command":["openshift-manage-dockerfile"],"args":["--loglevel=0"],"env":[{"name":"BUILD","value":"{\"kind\":\"Build\",\"apiVersion\":\"v1\",\"metadata\":{\"name\":\"kube-state-metrics-binary-10\",\"namespace\":\"ci\",\"selfLink\":\"/apis/build.openshift.io/v1/namespaces/ci/builds/kube-state-metrics-binary-10\",\"uid\":\"4311c0c5-8e8a-11e7-bd36-42010a800002\",\"resourceVersion\":\"220273\",\"creationTimestamp\":\"2017-08-31T20:23:33Z\",\"labels\":{\"buildconfig\":\"kube-state-metrics-binary\",\"openshift.io/build-config.name\":\"kube-state-metrics-binary\",\"openshift.io/build.start-policy\":\"Serial\"},\"annotations\":{\"openshift.io/build-config.name\":\"kube-state-metrics-binary\",\"openshift.io/build.number\":\"10\"},\"ownerReferences\":[{\"apiVersion\":\"build.openshift.io/v1\",\"kind\":\"BuildConfig\",\"name\":\"kube-state-metrics-binary\",\"uid\":\"f7af0289-8dbf-11e7-85db-42010a800002\",\"controller\":true}]},\"spec\":{\"serviceAccount\":\"builder\",\"source\":{\"type\":\"Git\",\"dockerfile\":\"FROM
      openshift/origin-release:golang-1.8\\nCOPY . /go/src/k8s.io/kube-state-metrics\\nRUN
      sleep 5000\\nRUN cd /go/src/k8s.io/kube-state-metrics \\u0026\\u0026 \\\\\\n    CGO_ENABLED=0
      go build -a -tags netgo .\\n\",\"git\":{\"uri\":\"https://github.com/openshift/kube-state-metrics.git\"}},\"strategy\":{\"type\":\"Docker\",\"dockerStrategy\":{\"from\":{\"kind\":\"DockerImage\",\"name\":\"openshift/origin-release:golang-1.8\"},\"imageOptimizationPolicy\":\"SkipLayers\"}},\"output\":{\"to\":{\"kind\":\"DockerImage\",\"name\":\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\"},\"pushSecret\":{\"name\":\"builder-dockercfg-lw6bm\"}},\"resources\":{},\"postCommit\":{},\"nodeSelector\":null,\"triggeredBy\":[{\"message\":\"Manually
      triggered\"}]},\"status\":{\"phase\":\"New\",\"outputDockerImageReference\":\"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries\",\"config\":{\"kind\":\"BuildConfig\",\"namespace\":\"ci\",\"name\":\"kube-state-metrics-binary\"},\"output\":{}}}\n"},{"name":"SOURCE_REPOSITORY","value":"https://github.com/openshift/kube-state-metrics.git"},{"name":"SOURCE_URI","value":"https://github.com/openshift/kube-state-metrics.git"},{"name":"ORIGIN_VERSION","value":"v3.7.0-alpha.1+70fcade-21"}],"resources":{},"volumeMounts":[{"name":"buildworkdir","mountPath":"/tmp/build"},{"name":"builder-token-0mgzn","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"FallbackToLogsOnError","imagePullPolicy":"IfNotPresent","securityContext":{"privileged":false}}]'
  creationTimestamp: 2017-08-31T20:23:34Z
  labels:
    openshift.io/build.name: kube-state-metrics-binary-10
  name: kube-state-metrics-binary-10-build
  namespace: ci
  ownerReferences:
  - apiVersion: build.openshift.io/v1
    controller: true
    kind: Build
    name: kube-state-metrics-binary-10
    uid: 4311c0c5-8e8a-11e7-bd36-42010a800002
  resourceVersion: "220311"
  selfLink: /api/v1/namespaces/ci/pods/kube-state-metrics-binary-10-build
  uid: 4317c656-8e8a-11e7-bd36-42010a800002
spec:
  containers:
  - args:
    - --loglevel=0
    command:
    - openshift-docker-build
    env:
    - name: BUILD
      value: |
        {"kind":"Build","apiVersion":"v1","metadata":{"name":"kube-state-metrics-binary-10","namespace":"ci","selfLink":"/apis/build.openshift.io/v1/namespaces/ci/builds/kube-state-metrics-binary-10","uid":"4311c0c5-8e8a-11e7-bd36-42010a800002","resourceVersion":"220273","creationTimestamp":"2017-08-31T20:23:33Z","labels":{"buildconfig":"kube-state-metrics-binary","openshift.io/build-config.name":"kube-state-metrics-binary","openshift.io/build.start-policy":"Serial"},"annotations":{"openshift.io/build-config.name":"kube-state-metrics-binary","openshift.io/build.number":"10"},"ownerReferences":[{"apiVersion":"build.openshift.io/v1","kind":"BuildConfig","name":"kube-state-metrics-binary","uid":"f7af0289-8dbf-11e7-85db-42010a800002","controller":true}]},"spec":{"serviceAccount":"builder","source":{"type":"Git","dockerfile":"FROM openshift/origin-release:golang-1.8\nCOPY . /go/src/k8s.io/kube-state-metrics\nRUN sleep 5000\nRUN cd /go/src/k8s.io/kube-state-metrics \u0026\u0026 \\\n    CGO_ENABLED=0 go build -a -tags netgo .\n","git":{"uri":"https://github.com/openshift/kube-state-metrics.git"}},"strategy":{"type":"Docker","dockerStrategy":{"from":{"kind":"DockerImage","name":"openshift/origin-release:golang-1.8"},"imageOptimizationPolicy":"SkipLayers"}},"output":{"to":{"kind":"DockerImage","name":"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries"},"pushSecret":{"name":"builder-dockercfg-lw6bm"}},"resources":{},"postCommit":{},"nodeSelector":null,"triggeredBy":[{"message":"Manually triggered"}]},"status":{"phase":"New","outputDockerImageReference":"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries","config":{"kind":"BuildConfig","namespace":"ci","name":"kube-state-metrics-binary"},"output":{}}}
    - name: SOURCE_REPOSITORY
      value: https://github.com/openshift/kube-state-metrics.git
    - name: SOURCE_URI
      value: https://github.com/openshift/kube-state-metrics.git
    - name: ORIGIN_VERSION
      value: v3.7.0-alpha.1+70fcade-21
    - name: PUSH_DOCKERCFG_PATH
      value: /var/run/secrets/openshift.io/push
    image: openshift/origin-docker-builder:v3.7.0-alpha.1
    imagePullPolicy: IfNotPresent
    name: docker-build
    resources: {}
    securityContext:
      privileged: true
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: FallbackToLogsOnError
    volumeMounts:
    - mountPath: /tmp/build
      name: buildworkdir
    - mountPath: /var/run/docker.sock
      name: docker-socket
    - mountPath: /var/run/secrets/openshift.io/push
      name: builder-dockercfg-lw6bm-push
      readOnly: true
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: builder-token-0mgzn
      readOnly: true
  dnsPolicy: ClusterFirst
  imagePullSecrets:
  - name: builder-dockercfg-lw6bm
  initContainers:
  - args:
    - --loglevel=0
    command:
    - openshift-git-clone
    env:
    - name: BUILD
      value: |
        {"kind":"Build","apiVersion":"v1","metadata":{"name":"kube-state-metrics-binary-10","namespace":"ci","selfLink":"/apis/build.openshift.io/v1/namespaces/ci/builds/kube-state-metrics-binary-10","uid":"4311c0c5-8e8a-11e7-bd36-42010a800002","resourceVersion":"220273","creationTimestamp":"2017-08-31T20:23:33Z","labels":{"buildconfig":"kube-state-metrics-binary","openshift.io/build-config.name":"kube-state-metrics-binary","openshift.io/build.start-policy":"Serial"},"annotations":{"openshift.io/build-config.name":"kube-state-metrics-binary","openshift.io/build.number":"10"},"ownerReferences":[{"apiVersion":"build.openshift.io/v1","kind":"BuildConfig","name":"kube-state-metrics-binary","uid":"f7af0289-8dbf-11e7-85db-42010a800002","controller":true}]},"spec":{"serviceAccount":"builder","source":{"type":"Git","dockerfile":"FROM openshift/origin-release:golang-1.8\nCOPY . /go/src/k8s.io/kube-state-metrics\nRUN sleep 5000\nRUN cd /go/src/k8s.io/kube-state-metrics \u0026\u0026 \\\n    CGO_ENABLED=0 go build -a -tags netgo .\n","git":{"uri":"https://github.com/openshift/kube-state-metrics.git"}},"strategy":{"type":"Docker","dockerStrategy":{"from":{"kind":"DockerImage","name":"openshift/origin-release:golang-1.8"},"imageOptimizationPolicy":"SkipLayers"}},"output":{"to":{"kind":"DockerImage","name":"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries"},"pushSecret":{"name":"builder-dockercfg-lw6bm"}},"resources":{},"postCommit":{},"nodeSelector":null,"triggeredBy":[{"message":"Manually triggered"}]},"status":{"phase":"New","outputDockerImageReference":"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries","config":{"kind":"BuildConfig","namespace":"ci","name":"kube-state-metrics-binary"},"output":{}}}
    - name: SOURCE_REPOSITORY
      value: https://github.com/openshift/kube-state-metrics.git
    - name: SOURCE_URI
      value: https://github.com/openshift/kube-state-metrics.git
    - name: ORIGIN_VERSION
      value: v3.7.0-alpha.1+70fcade-21
    image: openshift/origin-docker-builder:v3.7.0-alpha.1
    imagePullPolicy: IfNotPresent
    name: git-clone
    resources: {}
    securityContext:
      privileged: false
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: FallbackToLogsOnError
    volumeMounts:
    - mountPath: /tmp/build
      name: buildworkdir
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: builder-token-0mgzn
      readOnly: true
  - args:
    - --loglevel=0
    command:
    - openshift-manage-dockerfile
    env:
    - name: BUILD
      value: |
        {"kind":"Build","apiVersion":"v1","metadata":{"name":"kube-state-metrics-binary-10","namespace":"ci","selfLink":"/apis/build.openshift.io/v1/namespaces/ci/builds/kube-state-metrics-binary-10","uid":"4311c0c5-8e8a-11e7-bd36-42010a800002","resourceVersion":"220273","creationTimestamp":"2017-08-31T20:23:33Z","labels":{"buildconfig":"kube-state-metrics-binary","openshift.io/build-config.name":"kube-state-metrics-binary","openshift.io/build.start-policy":"Serial"},"annotations":{"openshift.io/build-config.name":"kube-state-metrics-binary","openshift.io/build.number":"10"},"ownerReferences":[{"apiVersion":"build.openshift.io/v1","kind":"BuildConfig","name":"kube-state-metrics-binary","uid":"f7af0289-8dbf-11e7-85db-42010a800002","controller":true}]},"spec":{"serviceAccount":"builder","source":{"type":"Git","dockerfile":"FROM openshift/origin-release:golang-1.8\nCOPY . /go/src/k8s.io/kube-state-metrics\nRUN sleep 5000\nRUN cd /go/src/k8s.io/kube-state-metrics \u0026\u0026 \\\n    CGO_ENABLED=0 go build -a -tags netgo .\n","git":{"uri":"https://github.com/openshift/kube-state-metrics.git"}},"strategy":{"type":"Docker","dockerStrategy":{"from":{"kind":"DockerImage","name":"openshift/origin-release:golang-1.8"},"imageOptimizationPolicy":"SkipLayers"}},"output":{"to":{"kind":"DockerImage","name":"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries"},"pushSecret":{"name":"builder-dockercfg-lw6bm"}},"resources":{},"postCommit":{},"nodeSelector":null,"triggeredBy":[{"message":"Manually triggered"}]},"status":{"phase":"New","outputDockerImageReference":"docker-registry.default.svc:5000/ci/kube-state-metrics:binaries","config":{"kind":"BuildConfig","namespace":"ci","name":"kube-state-metrics-binary"},"output":{}}}
    - name: SOURCE_REPOSITORY
      value: https://github.com/openshift/kube-state-metrics.git
    - name: SOURCE_URI
      value: https://github.com/openshift/kube-state-metrics.git
    - name: ORIGIN_VERSION
      value: v3.7.0-alpha.1+70fcade-21
    image: openshift/origin-docker-builder:v3.7.0-alpha.1
    imagePullPolicy: IfNotPresent
    name: manage-dockerfile
    resources: {}
    securityContext:
      privileged: false
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: FallbackToLogsOnError
    volumeMounts:
    - mountPath: /tmp/build
      name: buildworkdir
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: builder-token-0mgzn
      readOnly: true
  nodeName: origin-ci-ig-n-3hjt
  nodeSelector:
    role: app
  restartPolicy: Never
  schedulerName: default-scheduler
  securityContext: {}
  serviceAccount: builder
  serviceAccountName: builder
  terminationGracePeriodSeconds: 30
  volumes:
  - emptyDir:
      sizeLimit: "0"
    name: buildworkdir
  - hostPath:
      path: /var/run/docker.sock
    name: docker-socket
  - name: builder-dockercfg-lw6bm-push
    secret:
      defaultMode: 384
      secretName: builder-dockercfg-lw6bm
  - name: builder-token-0mgzn
    secret:
      defaultMode: 420
      secretName: builder-token-0mgzn
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: 2017-08-31T20:23:38Z
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: 2017-08-31T20:23:39Z
    status: "True"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: 2017-08-31T20:23:34Z
    status: "True"
    type: PodScheduled
  containerStatuses:
  - containerID: docker://2e50a80959ac4a02a849a464b721fb0c0a2d1cda0968d912090dd56fe2207077
    image: docker.io/openshift/origin-docker-builder:v3.7.0-alpha.1
    imageID: docker-pullable://docker.io/openshift/origin-docker-builder@sha256:c4dca63126070c48a22f4f73e182669334688e58e1c6ba32ee772beb523644ca
    lastState: {}
    name: docker-build
    ready: true
    restartCount: 0
    state:
      running:
        startedAt: 2017-08-31T20:23:38Z
  hostIP: 10.128.0.12
  initContainerStatuses:
  - containerID: docker://d20b540a969b9f208642ef7bbe4a780407e4a788a4c627700bc1ecb3a2b07b25
    image: docker.io/openshift/origin-docker-builder:v3.7.0-alpha.1
    imageID: docker-pullable://docker.io/openshift/origin-docker-builder@sha256:c4dca63126070c48a22f4f73e182669334688e58e1c6ba32ee772beb523644ca
    lastState: {}
    name: git-clone
    ready: true
    restartCount: 0
    state:
      terminated:
        containerID: docker://d20b540a969b9f208642ef7bbe4a780407e4a788a4c627700bc1ecb3a2b07b25
        exitCode: 0
        finishedAt: 2017-08-31T20:23:36Z
        reason: Completed
        startedAt: 2017-08-31T20:23:35Z
  - containerID: docker://1d15d83fe207db678ed237ced7ced662d6cbb466bcdf6e5edaa23c35c658a20d
    image: docker.io/openshift/origin-docker-builder:v3.7.0-alpha.1
    imageID: docker-pullable://docker.io/openshift/origin-docker-builder@sha256:c4dca63126070c48a22f4f73e182669334688e58e1c6ba32ee772beb523644ca
    lastState: {}
    name: manage-dockerfile
    ready: true
    restartCount: 0
    state:
      terminated:
        containerID: docker://1d15d83fe207db678ed237ced7ced662d6cbb466bcdf6e5edaa23c35c658a20d
        exitCode: 0
        finishedAt: 2017-08-31T20:23:38Z
        reason: Completed
        startedAt: 2017-08-31T20:23:37Z
  phase: Running
  podIP: 172.16.0.16
  qosClass: BestEffort
  startTime: 2017-08-31T20:23:34Z
@stevekuznetsov
Copy link
Contributor Author

Also FWIW this is the current UX of this command:

$ oc exec kube-state-metrics-binary-10-build --as system:admin -- ls
Error from server (Forbidden): pods "kube-state-metrics-binary-10-build" is forbidden: exec operation is not allowed because the pod's security context exceeds your permissions: pods "kube-state-metrics-binary-10-build" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.initContainers[0].securityContext.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used provider restricted: .spec.initContainers[1].securityContext.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used provider restricted: .spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed provider restricted: .spec.containers[0].securityContext.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used]

That is 100x impossible to read.

/cc @juanvallejo @fabianofranz

@stevekuznetsov
Copy link
Contributor Author

/cc @pweil-

@stevekuznetsov
Copy link
Contributor Author

/cc @bparees for good measure since it's a build pod

@stevekuznetsov stevekuznetsov changed the title admission denies cluster-admin from exec admission denies cluster-admin from exec into build pod Aug 31, 2017
@pweil-
Copy link
Contributor

pweil- commented Aug 31, 2017
edited

/unassign @enj
/assign @php-coder

@php-coder this looks like maybe it could have to do with impersonation and how that comes across in the admission chain. In practice, the cluster-admin should be able to exec into anything because they are granted the privileged SCC by default but here it looks like only the restricted provider is available.

@openshift-ci-robot openshift-ci-robot assigned php-coder and unassigned enj Aug 31, 2017
@php-coder
Copy link
Contributor

Most likely there is something that was broke in the authentication/impersonation because admission controller hasn't been changed recently.

@stevekuznetsov
Copy link
Contributor Author

How can we validate? What do you need to see for debugging?

@pweil-
Copy link
Contributor

pweil- commented Sep 1, 2017

@php-coder you can up the log level to at least 4 and test the difference of the user info before and after the authentication changes when using an --as parameter. That is what determines what SCCs are available. If that's so then we can get @enj and @simo5 to help out.

@php-coder
Copy link
Contributor

Based on my debugging session my theory is that earlier impersonated user had a populated system:cluster-admins group while at present he doesn't have it. Is it possible?

Also I see that now the user has Extra:map[scopes.authorization.openshift.io:[user:full]]}. I think that some auth mechanics should add the user to system:cluster-admins group. Otherwise we'll need to update many places to take a special attribute into account.

@enj
Copy link
Contributor

enj commented Sep 4, 2017

@php-coder what is the user info (all fields) during admission:

  1. With impersonation
  2. Without impersonation

For both 3.6 and master (4 values total).

@php-coder
Copy link
Contributor

I tried 3.6 and it also didn't work but fails with another error: #13390

So, let's assume that it's never worked.

@php-coder
Copy link
Contributor

php-coder commented Sep 5, 2017
edited

Here is the code for deciding whether a user has access to SCC or he's not:

origin/pkg/security/securitycontextconstraints/matcher.go

Lines 54 to 68 in 047c984

// ConstraintAppliesTo inspects the constraint's users and groups against the userInfo to determine
// if it is usable by the userInfo.
func ConstraintAppliesTo(constraint *securityapi.SecurityContextConstraints, userInfo user.Info) bool {
for _, user := range constraint.Users {
if userInfo.GetName() == user {
return true
}
}
for _, userGroup := range userInfo.GetGroups() {
if constraintSupportsGroup(userGroup, constraint.Groups) {
return true
}
}
return false
}

In order to allow user in sudoer group to have the same access as system:admin has, we can modify the logic in a different ways:

  1. we may give a user the same groups as system:admin has
  2. we may pass system:admin user instead of unprivileged user
  3. we may check here whether a user has a special extended attribute (like scopes.authorization.openshift.io)

How it's supposed to work?

CC @deads2k

@php-coder
Copy link
Contributor

For the history:

<deads2k> semushin: by the time admission is called, impersonation is over.  user.Info is the source of truth
<deads2k> semushin: you should not add or remove groups for evaluation

@php-coder
Copy link
Contributor

I couldn't make impersonation work at all. User that has sudoers group, can't create a privileged pod with the same error:

Error from server (Forbidden): error when creating "privileged.pod": pods "hello-privileged" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]

@php-coder
Copy link
Contributor

I found a workaround: privileged can be edited to also grant access to system:admin user. At this time, privileged is only granted to system:cluster-admins group.

system:admin belongs to system:cluster-admins group but a user who uses impersonation doesn't. And that's why it doesn't work right now.

@stevekuznetsov
Copy link
Contributor Author

When I impersonate the user, I only get the privilege they have themselves, not from their groups? That is surprising.

@php-coder
Copy link
Contributor

When I impersonate the user, I only get the privilege they have themselves, not from their groups?

Yes, in this case you also need to specify --as-group system:admins

That is surprising.

Indeed.

@stevekuznetsov
Copy link
Contributor Author

The UX of this is worse than terrible. Can we make it default to also grab groups?
/cc @deads2k

@stevekuznetsov stevekuznetsov removed the kind/bug Categorizes issue or PR as related to a bug. label Sep 6, 2017
@php-coder
Copy link
Contributor

I found a workaround: privileged can be edited to also grant access to system:admin user. At this time, privileged is only granted to system:cluster-admins group.

In order to improve UX (and do not surprise even seasoned developers) I suggest to grant the privileged SCC to the system:admin user explicitly.

@openshift/sig-security Objections?

@liggitt
Copy link
Contributor

liggitt commented Sep 6, 2017

Can we make it default to also grab groups?

No, the groups are determined by the auth method, and are not available for lookup to the impersonation filter.

@php-coder
Copy link
Contributor

--as-group doesn't help in this case:

$ oc exec ruby-hello-world-1-build --as system:admin --as-group system:cluster-admins -- pwd
Error from server (Forbidden): User "developer" cannot "impersonate" "systemgroups.user.openshift.io" with name "system:cluster-admins" in project ""

Seems like users from sudoers group can't request adding other groups.

@stevekuznetsov stevekuznetsov added the kind/bug Categorizes issue or PR as related to a bug. label Sep 6, 2017
@deads2k
Copy link
Contributor

deads2k commented Sep 6, 2017

Seems like users from sudoers group can't request adding other groups.

Is what you really want to add system:admin to the SCC powers?

@php-coder
Copy link
Contributor

php-coder commented Sep 6, 2017
edited by enj

Seems like users from sudoers group can't request adding other groups.

The following patch could fix it:

--- pkg/cmd/server/bootstrappolicy/policy.go
+++ pkg/cmd/server/bootstrappolicy/policy.go
@@ -135,7 +135,7 @@ func GetOpenshiftBootstrapClusterRoles() []rbac.ClusterRole {
                                Name: SudoerRoleName,
                        },
                        Rules: []rbac.PolicyRule{
-                               rbac.NewRule("impersonate").Groups(userGroup, legacyUserGroup).Resources(authorizationapi.SystemUserResource).Names(SystemAdminUsername).RuleOrDie(),
+                               rbac.NewRule("impersonate").Groups(userGroup, legacyUserGroup).Resources(authorizationapi.SystemUserResource, authorizationapi.SystemGroupResource).Names(SystemAdminUsername, ClusterAdminGroup).RuleOrDie(),
                        },
                },
                {

@enj
Copy link
Contributor

enj commented Sep 6, 2017

The following patch could fix it

If we go that path, it would be an additional PolicyRule for sudoer. The one you made works, but also grants extra powers.

Not sure if we want to extend sudoer or extend the SCC. @deads2k or @liggitt may have a preference.

@deads2k
Copy link
Contributor

deads2k commented Sep 6, 2017

Not sure if we want to extend sudoer or extend the SCC. @deads2k or @liggitt may have a preference.

I would probably do both. The sudoer could/should have access to the "magic" group, but the "system:admin" could/should have access to the SCC to make life easier on the CLI.

@enj
Copy link
Contributor

enj commented Sep 6, 2017

So to be explicit, sudoer can impersonate:

  1. {system}user system:admin
  2. {system}groups system:cluster-admins and system:masters

And add system:admin, system:cluster-admins and system:masters to SCC.

Sound good?

@deads2k
Copy link
Contributor

deads2k commented Sep 6, 2017

system:cluster-admins

this one is unnecessary. Otherwise, yes.

@php-coder
Copy link
Contributor

@enj @deads2k What are the differences between system:cluster-admins and system:masters groups?

@deads2k
Copy link
Contributor

deads2k commented Sep 7, 2017

system:masters is a "magic" group that always has full access to do anything. There is a special authorizer that allows it.

system:cluster-admins seemed like a good idea at the time. It isn't special.

@enj
Copy link
Contributor

enj commented Sep 7, 2017

@php-coder I was mostly trying to make the UX as nice as possible. system:masters is the magic "I can do anything group" that is in sync with upstream.

Thus you want:

sudoer can impersonate:

  1. {system}user system:admin
  2. {system}group system:masters

And add system:admin and system:masters to SCC.

@php-coder
Copy link
Contributor

system:masters is a "magic" group that always has full access to do anything.

@deads2k @enj Thanks for explanation! I see that this role isn't documented. Should I create an issue for that?

@enj
Copy link
Contributor

enj commented Sep 7, 2017

There is some stuff in https://kubernetes.io/docs/admin/authorization/rbac but yeah it probably deserves some information.

This was referenced Sep 7, 2017
Closed
Merged
openshift-merge-robot added a commit that referenced this issue Sep 9, 2017
@openshift-merge-robot
Merge pull request #16213 from php-coder/gh16092_scc_and_impersonation
8134819 
Automatic merge from submit-queue

Modify "sudoer" group and "privileged" SCC to seamlessly work together

Prior this change, a member of "sudoer" group couldn't create a privileged pod (or perform `oc exec` against it). Also before, a user couldn't impersonate `system:masters` group. Now all of these are became possible.

PTAL @openshift/sig-security 

Fixes #16092
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@php-coder php-coder

@derekwaynecarr derekwaynecarr

@simo5 simo5

Labels
area/security area/usability kind/bug Categorizes issue or PR as related to a bug. priority/P2 sig/security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@php-coder @liggitt @pweil- @derekwaynecarr @enj @stevekuznetsov @deads2k @simo5