Closed solarmicrobe closed 1 year ago
We solved this in our case by adding SecurityContextConstraints. Example below (we have the connect chart as a dependency)
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: one-password-operator
priority: 11
readOnlyRootFilesystem: true
requiredDropCapabilities:
- MKNOD
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
users:
- system:serviceaccount:{{ $.Release.Namespace }}:{{ $.Values.connect.operator.serviceAccount.name }}
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: one-password
priority: 11
readOnlyRootFilesystem: true
requiredDropCapabilities:
- MKNOD
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
users:
- system:serviceaccount:{{ $.Release.Namespace }}:default
@tomjo : Thank you!
Thank you for sharing your fix @tomjo
Your environment
Chart Version: 1.7.1
Helm Version: 3.8.0
Kubernetes Version: OCP 4.10.10 (Kubernetes v1.23.5+9ce5071
What happened?
Security error when trying to create pods due to using runAsUser with a user id number that's not allowed
What did you expect to happen?
Chart installed correctly
Steps to reproduce
I'm currently using ArgoCD to deploy this via their App-of-apps pattern. So this is a resource for the Application
Notes & Logs
Speific error from logs
Stackoverflow that led me to this line of thinking: https://stackoverflow.com/questions/69433216/helm-is-failing-in-openshift-due-to-security-context-error
Openshift Security Documentation that might be helpful: https://docs.openshift.com/container-platform/4.10/authentication/managing-security-context-constraints.html