Why do I need cluster admin permissions to create privileged containers in Docker EE

Article ID:360033328492
1 minute readKnowledge base

Issue

We use Docker EE to build Docker images in CloudBees Core. When using the DinD approach as described in the following document, we get the following error:

 Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods "pod-dind-XXXX" is forbidden: user "system:serviceaccount:namespace:username" is not an admin and does not have permissions to use privileged mode for resource.

Resolution

According to Docker EE documentation:

If a user without a cluster-admin role tries to deploy a pod with any of these privileged options, an error similar to the following example is displayed:

Error from server (Forbidden): error when creating "pod.yaml": pods "mypod" is forbidden: user "<user-id>" is not an admin and does not have permissions to use privileged mode for resource

You can check the details on this particular topic in the Docker EE Authorization documentation.

Once that you promote the service account used by CloudBees Core to a cluster-admin role, the issue is resolved and you will be able to create privileged pods without further issues.

Tested product/plugin versions

This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.