-
Notifications
You must be signed in to change notification settings - Fork 458
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SCC Error on OpenShift #289
Comments
this is because we choose the security context in our yamls - not sure why Openshift denies this, they should simply honor the security contexts specified in the yaml. |
Pod security context was added recently, this was added because we don't need to run as root even inside the container, perhaps the user id chosen is not compatible with openshift as the error suggests? You could get around this meanwhile by doing an overlay with the fixes that you are doing manually and install the operator in that manner. Before we had a long long yaml with everything in it, the new kustomize approach is much organized, what changed and broke your install path was the pod security context |
It seems like the
|
that error seems to be openshift specific, the kubernetes documentation uses 1000 as an example https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
similar in openshift 4.5 documentation, is there something custom about your setup @christianh814 ? |
@dvaldivia this is part of OpenShift default security context constraints, there is nothing we need to do, @christianh814 You just have to configure the correct runAsUser or runAsGroup or remove them so that Openshift can force the container to run under a specific SCC Closing this as not our problem. |
@harshavardhana agree, even the documentation for openshift 4.5 shows an example using user 1000 so it may be something on their setup |
Signed-off-by: David Zager <[email protected]>
I figured I would add to this since I have also run into this. As mentioned by harshavardhana this is an SCC issue when deploying on OpenShift. In order to get the helm chart to deploy to an OpenShift cluster you just need to make sure that the helm chart passes the SCC checks. For example by default (At least for me running on OpenShift 4.16.7) the user UID must be in-between [1000730000 - 1000739999]. The MinIO helm chart by default has a The content of my # Needed in order to pass OpenShift security context constraints
operator:
securityContext:
runAsUser: 1000730000
runAsGroup: 1000730000
fsGroup: 1000730000
containerSecurityContext:
runAsUser: 1000730000
runAsGroup: 1000730000 |
I found great documentation from rook.io in regards to OpenShift and SecurityContextConstraints. It helped me in understanding how they deploy their operator and get a better understanding of OpenShift. Looks like the best thing to do would be to define a |
I created a feature request to see if this could be implemented into the operator helm chart #2315 |
Deploying the operator using the kustomize method...
Produces the following output on OpenShift 4.5
Expected Behavior
In other version of the operator, no scc edits were required. It was as simple as running...
Current Behavior
Now, you need to run this to make it work..
This will make the pod run...
Possible Solution
Any reason why
1000
is used? How was this operator configured before? I never needed to change the SCC definitionSteps to Reproduce (for bugs)
openshift-install create cluster
kubectl apply -k http://github.com/minio/operator
kubectl get events -n minio-operator
Context
Trying to automate the installation of Minio in my pipeline
Regression
I believe this is a regression since an SCC edit wasn't required before
Your Environment
minio-operator
): Latestuname -a
): RHCOSThe text was updated successfully, but these errors were encountered: