Why do I need cluster admin permissions to create privileged containers in Docker EE

Issue

We use Docker EE to build Docker images in CloudBees Core. When using the DinD approach as described in the following document, we get the following error:

 Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods "pod-dind-XXXX" is forbidden: user "system:serviceaccount:namespace:username" is not an admin and does not have permissions to use privileged mode for resource.

Environment

Resolution

According to Docker EE documentation:

If a user without a cluster-admin role tries to deploy a pod with any of these privileged options, an error similar to the following example is displayed:

Error from server (Forbidden): error when creating "pod.yaml": pods "mypod" is forbidden: user "<user-id>" is not an admin and does not have permissions to use privileged mode for resource

You can check the details on this particular topic in the Docker EE Authorization documentation.

Once that you promote the service account used by CloudBees Core to a cluster-admin role, the issue is resolved and you will be able to create privileged pods without further issues.

Tested product/plugin versions

Have more questions?

0 Comments

Please sign in to leave a comment.