search

RasaHQ / helm-charts

Helm charts for Rasa products
https://rasa.com
Apache License 2.0
32 stars 29 forks source link

Deployment no longer works with OpenShift #96

Open psav opened 1 year ago

psav commented 1 year ago

Have been testing against Openshift 4.11 and the pods won't spin up citing 

create Pod test-postgresql-0 in StatefulSet test-postgresql failed error: pods "test-postgresql-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid value: 1001: must be in the ranges: [1001300000, 1001309999], provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "pcap-dedicated-admins": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "splunkforwarder": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

I had tried a values file looking like the following

applicationSettings:
  initialModel: "https://github.com/RasaHQ/rasa-x-demo/blob/master/models/model.tar.gz?raw=true"
postgresql:
  volumePermissions:
    securityContext:
      runAsUser: "auto"
  securityContext:
    enabled: false
  shmVolume:
    chmod:
      enabled: false
nginx:
  image:
    name: nginxinc/nginx-unprivileged
    port: 8080

Deleted my namespace and re-ran the installation - but the same error persists. Looking in the stateful set, it does appear as though uid 1001 is used for the user, which is not allowed in OpenShift.

BlueCog commented 1 year ago

Specific for postgres i have:

  postgresql:
    containerSecurityContext:
      enabled: false
    securityContext:
      enabled: false

And there is also the global setting securityContext -> securityContext: false you can set. See: https://github.com/RasaHQ/rasa-x-helm/blob/main/charts/rasa-x/values.yaml#L882

kaitlynabdo commented 1 year ago

Running into the same issue. I tried the same thing as @psav (my values file looked the same) and got the same error. I also used this values file from rasa https://github.com/RasaHQ/helm-charts/blob/main/charts/rasa/values.yaml and changed those nginx and postgresql values. Once I did that, the error says connection refused and failed to connect upstream. Just following the rasa documentation alone, it doesn’t even start up the Postgresql. Creating an anyuid SCC to account for the permission issue since openshift doesn’t allow for user value 1001 got a postgresql pod to run but it ultimately failed. It doesn’t seem like the values file doesn’t actually change anything when looking at the yml files in openshift clusters.

thoraxe commented 1 year ago

I was with @kaitlynabdo when we were doing the testing mentioned -- the PostgreSQL pod failed with an inability to write to the (default?) data folder. I think the PostgreSQL part of the chart for running on top of OCP is a bit borked.