search

F5Networks / k8s-bigip-ctlr

Repository for F5 Container Ingress Services for Kubernetes & OpenShift.
Apache License 2.0
356 stars 193 forks source link

F5 BIG-IP Controller Operator and OpenShift SCC #3508

Open dronenb opened 1 month ago

dronenb commented 1 month ago

Setup Details

CIS Operator f5-bigip-ctlr-operator.v1.17.0

Description

When deploying an F5 CIS controller into OpenShift using the F5 Container Ingress Services Operator (v1.17.0 from the OpenShift marketplace), the following error appears in the deployment:

F5BigIpCtlr object:

apiVersion: cis.f5.com/v1
kind: F5BigIpCtlr
metadata:
  name: f5bigipctlr-01
  namespace: bigip-ctrl-ns
spec:
  podSecurityContext:
    seccompProfile:
      type: RuntimeDefault
  args:
    log_as3_response: true
    bigip_partition: "patchme" # Redacted for privacy reasons
    bigip_url: "patchme"       # Redacted for privacy reasons
    manage-routes: false
    agent: as3
    log-level: INFO
    insecure: true
    pool-member-type: nodeport
    node-label-selector: node-role.kubernetes.io/worker
    custom-resource-mode: true
    ipam: true
    manage-configmaps: false
    manage-ingress: false
    use-secrets: false
    disable-teems: true
  bigip_login_secret: f5-bigip-ctlr-login
  image:
    pullPolicy: Always
    repo: cntr-ingress-svcs
    user: registry.connect.redhat.com/f5networks
  namespace: bigip-ctrl-ns
  rbac:
    create: true
  resources: {}
  serviceAccount:
    create: true
  ingressClass:
    create: false
    defaultController: false
  version: 2.17.1-ubi9@sha256:a2b0c41f9cf0cc29c49974314f58aa3d8ad7988f0218845a02765f1f3fe9ca1d

Resulting deployment status:

kubectl get deploy/f5bigipctlr-01-f5-bigip-ctlr -oyaml | yq '.status'
conditions:
  - lastTransitionTime: "2024-08-05T21:17:25Z"
    lastUpdateTime: "2024-08-05T21:17:25Z"
    message: Created new replica set "f5bigipctlr-01-f5-bigip-ctlr-779b798f79"
    reason: NewReplicaSetCreated
    status: "True"
    type: Progressing
  - lastTransitionTime: "2024-08-05T21:17:25Z"
    lastUpdateTime: "2024-08-05T21:17:25Z"
    message: Deployment does not have minimum availability.
    reason: MinimumReplicasUnavailable
    status: "False"
    type: Available
  - lastTransitionTime: "2024-08-05T21:17:25Z"
    lastUpdateTime: "2024-08-05T21:17:25Z"
    message: 'pods "f5bigipctlr-01-f5-bigip-ctlr-779b798f79-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "cert-manager-csi-driver-scc": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1000810000, 1000819999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "logging-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "rook-ceph": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "rook-ceph-csi": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]'
    reason: FailedCreate
    status: "True"
    type: ReplicaFailure
observedGeneration: 1
unavailableReplicas: 1

This is due to OpenShift's default restricted-v2 SCC.

Expected Result

There is no reason this particular deployment needs to have a fixed UID or GID. It will run fine with OpenShift's default random UID and GID 0.

Actual Result

Helm template has fixed UID/GID, thus it forces the deployment to have fixed UID/GID and causes deployment to not progress: https://github.com/F5Networks/k8s-bigip-ctlr/blob/c200ed8da28b0fb45edbbfbd6209732262696fa6/helm-charts/f5-bigip-ctlr/templates/f5-bigip-ctlr-deploy.yaml#L47-L64

Observations (if any)

The Helm template should be updated to not hardcode the UID so that OpenShift users can run the deployment using the default restricted-v2 SCC.

trinaths commented 1 month ago

runAsGroup and fsGroup are configurable options in values.yaml. Suggest configure the params with proper values and retry. @dronenb

dronenb commented 1 month ago

@trinaths that's what I'm saying, when running in OpenShift, they should not be set explicitly when running in OpenShift, since it will automatically inject these - https://www.redhat.com/en/blog/a-guide-to-openshift-and-uids

There is not a way to unset these in the helm chart, as such I submitted this issue. Setting it explicitly to a high UID will work as a workaround, but it is not the right solution:

  securityContext:
    runAsUser: 1000810000
    fsGroup: 1000810000
    runAsGroup: 1000810000

Considering this operator is officially supported on OpenShift, I believe this is an issue that needs to be rectified. I would appreciate it if you re-opened this issue.

trinaths commented 3 weeks ago

Reopening this issue for further review.

trinaths commented 3 weeks ago

Created [CONTCNTR-4845] for internal tracking.