search

F5Networks / f5-ipam-controller

The F5 IPAM Controller runs in an orchestration environment like Kubernetes to allocate IP addresses from an IPAM system to BIG-IP Virtual Servers. The purpose is to abstract complexity related to setting up BIG-IP from a networking perspective
Apache License 2.0
9 stars 16 forks source link

Cannot deploy using a NFS volume due to the forced securityContext in the helm chart #137

Open rhessing opened 1 year ago

rhessing commented 1 year ago

Setup Details

FIC Version : HelmChart 0.0.3, 0.1.8 CIS Version : 2.10.1 FIC Build: f5networks/f5-ipam-controller:0.1.8 CIS Build: f5networks/k8s-bigip-ctlr:2.10.1 AS3 Version: 3.4 Orchestration: K8S Orchestration Version: 1.24.4 Additional Setup details: nfs.csi.k8s.io (https://github.com/kubernetes-csi/csi-driver-nfs)

Description

When using a NFS storage class:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: f5-ipam-shared-sc
provisioner: nfs.csi.k8s.io
parameters:
  server: 172.17.20.200
  share: /f5-ipam
  csi.storage.k8s.io/provisioner-secret-name: "f5-ipam-shared-csi-secret"
  csi.storage.k8s.io/provisioner-secret-namespace: "kube-system"
reclaimPolicy: Retain
volumeBindingMode: Immediate
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: f5-ipam-controller
  namespace: kube-system
spec:
  repo: https://f5networks.github.io/f5-ipam-controller/helm-charts/stable
  chart: f5-ipam-controller
  version: 0.0.3
  targetNamespace: kube-system
  valuesContent: |-
    nodeSelector:
      kubernetes.io/os: linux
    pvc:
      create: true
      name: f5-ipam-controller-pvc
      storageClassName: f5-ipam-shared-sc
      accessMode: ReadWriteOnce
      storage: 512Mi
    args:
      orchestration: "kubernetes"
      provider: "f5-ip-provider"
      ip_range: '{"iprange":"172.17.20.100-172.17.20.199"}'
      log_level: DEBUG
    image:
      version: 0.1.8
      pullPolicy: IfNotPresent
    securityContext:
      runAsUser: 1200
      runAsGroup: 1200
      fsGroup: 1200

The helm install will work however the IPAM Controller Pod will not run due to a permission issue:

2022/12/02 12:59:31 [DEBUG] Creating IPAM Kubernetes Client
2022/12/02 12:59:31 [INFO] [INIT] Starting: F5 IPAM Controller - Version: 0.1.8, BuildInfo: azure-2661-f66ad6d2a4a94e0f0a8619191303af556f45dd0d
2022/12/02 12:59:31 [DEBUG] [ipam] Creating Informers for Namespace kube-system
2022/12/02 12:59:31 [DEBUG] Created New IPAM Client
2022/12/02 12:59:31 [DEBUG] [MGR] Creating Manager with Provider: f5-ip-provider
2022/12/02 12:59:31 [ERROR] [STORE] Unable to read IPAM DB file due to permission issue: stat /app/ipamdb/cis_ipam.sqlite3: permission denied
2022/12/02 12:59:31 [ERROR] [PROV] Store not initialized
2022/12/02 12:59:31 [ERROR] [PROV] Failed to Initialize Provider
2022/12/02 12:59:31 [ERROR] Unable to initialize manager: [IPMG] Unable to create Provider

Even if I create a Job that sets the correct permissions, it won't do the trick:

---
apiVersion: batch/v1
kind: Job
metadata:
  name: f5-ipam-set-volume-permissions
  namespace: kube-system
spec:
  backoffLimit: 4
  template:
    spec:
      restartPolicy: Never
      volumes:
        - name: f5-ipam-controller-pvc
          persistentVolumeClaim:
            claimName: f5-ipam-controller-pvc
      containers:
        - name: f5-ipam-init-chown-data
          image: busybox
          securityContext:
            runAsNonRoot: false
            runAsUser: 0
          command: ["chown",  "-R", "1200:1200", "/app/ipamdb/"]
          volumeMounts:
            - name: f5-ipam-controller-pvc
              mountPath: /app/ipamdb/

Steps To Reproduce

1) Install a K8s clusterr 2) Install the NFS CSI plugin 3) Create a NFS export on the NFS server 4) Create a storage class with the NFS server IP and path 5) Use helm to install the F5 IPAM controller

Expected Result

Actual Result

2022/12/02 12:40:44 [ERROR] [STORE] Unable to read IPAM DB file due to permission issue: stat /app/ipamdb/cis_ipam.sqlite3: permission denied
mdditt2000 commented 1 year ago

@rhessing please contact PM at automation_toolchain_pm@f5.com so we can prioritize this issue

trinaths commented 1 year ago

@rhessing please contact PM at automation_toolchain_pm@f5.com so we can prioritize this issue

shkarface commented 2 months ago

It should be a very easy fix to update the helm chart to support new security requirements. I will try to fix this tomorrow as we have a requirement on this as well.

arunmk commented 1 week ago

@shkarface could you please mention if there has been any progress on this.

~Also, could you mention if there is a workaround until the fix arrives.~

Nevermind, I built another container with the directory pre-created for my testing purposes