search

1Password / connect-helm-charts

Official 1Password Helm Charts
https://developer.1password.com
MIT License
90 stars 73 forks source link

Chart does not work in Openshift Container Platform #95

Closed solarmicrobe closed 1 year ago

solarmicrobe commented 2 years ago

Your environment

Chart Version: 1.7.1

Helm Version: 3.8.0

Kubernetes Version: OCP 4.10.10 (Kubernetes v1.23.5+9ce5071

What happened?

Security error when trying to create pods due to using runAsUser with a user id number that's not allowed

What did you expect to happen?

Chart installed correctly

Steps to reproduce

I'm currently using ArgoCD to deploy this via their App-of-apps pattern. So this is a resource for the Application

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: one-password-connect
  namespace: openshift-gitops
  labels:
    app.kubernetes.io/instance: argocd
spec:
  project: default
  source:
    repoURL: https://1password.github.io/connect-helm-charts/
    targetRevision: 1.7.1
    path: apps/one-password-connect
    helm:
      releaseName: onepassword-connect
      values: |
        connect:
          credentials: |
            <redacted>
          tls:
            enabled: false
            secret: op-connect-tls
        operator:
          create: true
          token:
            value: <redacted>
      version: v3
    chart: connect
  destination:
    namespace: onepassword
    server: 'https://kubernetes.default.svc'
  syncPolicy:
    syncOptions:
    - CreateNamespace=true

Notes & Logs

Speific error from logs

pods "onepassword-connect-96776974f-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid value: 999: must be in the ranges: [1000680000, 1000689999], spec.containers[1].securityContext.runAsUser: Invalid value: 999: must be in the ranges: [1000680000, 1000689999], provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

Stackoverflow that led me to this line of thinking: https://stackoverflow.com/questions/69433216/helm-is-failing-in-openshift-due-to-security-context-error

Openshift Security Documentation that might be helpful: https://docs.openshift.com/container-platform/4.10/authentication/managing-security-context-constraints.html

tomjo commented 2 years ago

We solved this in our case by adding SecurityContextConstraints. Example below (we have the connect chart as a dependency)

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: one-password-operator
priority: 11
readOnlyRootFilesystem: true
requiredDropCapabilities:
  - MKNOD
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - persistentVolumeClaim
  - projected
  - secret
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
users:
  - system:serviceaccount:{{ $.Release.Namespace }}:{{ $.Values.connect.operator.serviceAccount.name }}
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: one-password
priority: 11
readOnlyRootFilesystem: true
requiredDropCapabilities:
  - MKNOD
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - persistentVolumeClaim
  - projected
  - secret
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
users:
  - system:serviceaccount:{{ $.Release.Namespace }}:default
jmhublar commented 1 year ago

@tomjo : Thank you!

jillianwilson commented 1 year ago

Thank you for sharing your fix @tomjo