Open abdulmateen-1 opened 3 days ago
@abdulmateen-1 It was mentioned in Slack that OLO version was 1.3.3 while WLO is 1.4.0. Is that correct?
Please share the following configurations that were being used during the testing of Instant-On application:
Yes that is correct. The WLO version is 1.4.0 and the OLO version is 1.3.3.
Security Context Constraint yaml file
kind: SecurityContextConstraints
metadata:
annotations:
kubernetes.io/description: criu-scc is based on the restricted SCC but removes any restrictions
that prevent the restore image from running successfully.
generation: 1
name: cap-cr-scc
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities:
- CHECKPOINT_RESTORE
- SETPCAP
fsGroup:
type: RunAsAny
# type: MustRunAs
groups:
- system:authenticated
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
type: RunAsAny
# type: MustRunAs
# uid: 1001
seLinuxContext:
type: RunAsAny
# type: MustRunAs
supplementalGroups:
type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- hostPath
- persistentVolumeClaim
- projected
- secret
Service Account Configuration details
kind: ServiceAccount
apiVersion: v1
metadata:
name: instanton-sa
namespace: nest-daytrader10-instanton
uid: f17137cb-42db-416b-8e9f-ac300c4f3d26
resourceVersion: '3035767'
creationTimestamp: '2024-09-27T16:43:49Z'
annotations:
argocd.argoproj.io/sync-wave: '5'
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{"argocd.argoproj.io/sync-wave":"5"},"name":"instanton-sa","namespace":"nest-daytrader10-instanton"}}
openshift.io/internal-registry-pull-secret-ref: instanton-sa-dockercfg-p2mks
managedFields:
- manager: openshift.io/image-registry-pull-secrets_service-account-controller
operation: Apply
apiVersion: v1
time: '2024-09-27T16:43:49Z'
fieldsType: FieldsV1
fieldsV1:
'f:imagePullSecrets': {}
'f:metadata':
'f:annotations':
'f:openshift.io/internal-registry-pull-secret-ref': {}
'f:secrets':
'k:{"name":"instanton-sa-dockercfg-p2mks"}': {}
- manager: argocd-controller
operation: Update
apiVersion: v1
time: '2024-09-27T16:55:05Z'
fieldsType: FieldsV1
fieldsV1:
'f:metadata':
'f:annotations':
'f:argocd.argoproj.io/sync-wave': {}
- manager: kubectl-client-side-apply
operation: Update
apiVersion: v1
time: '2024-09-30T16:26:15Z'
fieldsType: FieldsV1
fieldsV1:
'f:metadata':
'f:annotations':
'f:kubectl.kubernetes.io/last-applied-configuration': {}
secrets:
- name: instanton-sa-dockercfg-p2mks
imagePullSecrets:
- name: instanton-sa-dockercfg-p2mks
% oc describe sa instanton-sa
Name: instanton-sa
Namespace: nest-daytrader10-instanton
Labels: <none>
Annotations: argocd.argoproj.io/sync-wave: 5
openshift.io/internal-registry-pull-secret-ref: instanton-sa-dockercfg-p2mks
Image pull secrets: instanton-sa-dockercfg-p2mks
Mountable secrets: instanton-sa-dockercfg-p2mks
Tokens: <none>
Events: <none>
We then add the security context constraint to the service account using this command.
oc adm policy add-scc-to-user cap-cr-scc -z instanton-sa
Security Context Config in WLO Custom Resource.
% oc get deployment daytrader10-wlo-instanton -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
argocd.argoproj.io/sync-wave: "5"
deployment.kubernetes.io/revision: "1"
creationTimestamp: "2024-09-30T20:03:55Z"
generation: 1
labels:
app.kubernetes.io/component: backend
app.kubernetes.io/instance: daytrader10-wlo-instanton
app.kubernetes.io/managed-by: websphere-liberty-operator
app.kubernetes.io/name: daytrader10-wlo-instanton
app.kubernetes.io/part-of: daytrader10-wlo-instanton
liberty.websphere.ibm.com/name: daytrader10-wlo-instanton
name: daytrader10-wlo-instanton
namespace: nest-daytrader10-instanton
ownerReferences:
- apiVersion: liberty.websphere.ibm.com/v1
blockOwnerDeletion: true
controller: true
kind: WebSphereLibertyApplication
name: daytrader10-wlo-instanton
uid: 4652f36d-91f4-4813-88a2-1cee731f74cc
resourceVersion: "3166870"
uid: baf5fedf-6792-4db1-bc36-fd3ad6ec8547
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/instance: daytrader10-wlo-instanton
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
argocd.argoproj.io/sync-wave: "5"
libertyOperator: WebSphere Liberty
productChargedContainers: app
productID: e7daacc46bbe4e2dacd2af49145a4723
productMetric: PROCESSOR_VALUE_UNIT
productName: IBM WebSphere Application Server
creationTimestamp: null
labels:
app.kubernetes.io/component: backend
app.kubernetes.io/instance: daytrader10-wlo-instanton
app.kubernetes.io/managed-by: websphere-liberty-operator
app.kubernetes.io/name: daytrader10-wlo-instanton
app.kubernetes.io/part-of: daytrader10-wlo-instanton
liberty.websphere.ibm.com/name: daytrader10-wlo-instanton
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/instance: daytrader10-wlo-instanton
topologyKey: topology.kubernetes.io/zone
weight: 50
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/instance: daytrader10-wlo-instanton
topologyKey: kubernetes.io/hostname
weight: 50
automountServiceAccountToken: true
containers:
- env:
- name: httpPort
value: "9080"
- name: httpsPort
value: "9443"
- name: WLP_LOGGING_CONSOLE_FORMAT
value: simple
- name: dbHost
value: app-db2
- name: dbName
value: TRADEDB
- name: dbPort
value: "50000"
- name: dbUser
value: db2inst1
- name: dbPasswd
valueFrom:
secretKeyRef:
key: dbpw
name: db-credential
- name: QueueManager
value: QM1
- name: mqHost
value: app-mq
- name: mqPasswd
valueFrom:
secretKeyRef:
key: mqpw
name: mqapp-credential
- name: TLS_DIR
value: /etc/x509/certs
- name: SA_RESOURCE_VERSION
value: "3166830"
- name: WLP_LOGGING_CONSOLE_LOGLEVEL
value: info
- name: WLP_LOGGING_CONSOLE_SOURCE
value: message,accessLog,ffdc,audit
- name: IBM_HEAPDUMPDIR
value: /serviceability
- name: IBM_COREDIR
value: /serviceability
- name: IBM_JAVACOREDIR
value: /serviceability
- name: SEC_IMPORT_K8S_CERTS
value: "true"
- name: SERVICE_CERT_SECRET_RESOURCE_VERSION
value: "3166854"
image: docker-na-public.artifactory.swg-devops.com/hyc-wassvt-team-image-registry-docker-local/instanton/24.0.0.10/daytrader10:ol-full-java21-s390x
imagePullPolicy: Always
livenessProbe:
failureThreshold: 5
httpGet:
path: /health
port: 9080
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: app
ports:
- containerPort: 9443
name: 9443-tcp
protocol: TCP
readinessProbe:
failureThreshold: 5
httpGet:
path: /daytrader
port: 9080
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: "2"
memory: 2Gi
requests:
cpu: 500m
memory: 1Gi
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- CHECKPOINT_RESTORE
- SETPCAP
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
startupProbe:
failureThreshold: 10
httpGet:
path: /health
port: 9080
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/x509/certs
name: svc-certificate
readOnly: true
- mountPath: /serviceability
name: serviceability
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: daytrader10-wlo-instanton
serviceAccountName: daytrader10-wlo-instanton
terminationGracePeriodSeconds: 30
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/instance: daytrader10-wlo-instanton
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/instance: daytrader10-wlo-instanton
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
volumes:
- name: svc-certificate
secret:
defaultMode: 420
secretName: daytrader10-wlo-instanton-svc-tls-ocp
- name: serviceability
persistentVolumeClaim:
claimName: daytrader10-wlo-instanton-serviceability
status:
conditions:
- lastTransitionTime: "2024-09-30T20:03:55Z"
lastUpdateTime: "2024-09-30T20:03:55Z"
message: Created new replica set "daytrader10-wlo-instanton-545748f787"
reason: NewReplicaSetCreated
status: "True"
type: Progressing
- lastTransitionTime: "2024-09-30T20:03:55Z"
lastUpdateTime: "2024-09-30T20:03:55Z"
message: Deployment does not have minimum availability.
reason: MinimumReplicasUnavailable
status: "False"
type: Available
- lastTransitionTime: "2024-09-30T20:03:55Z"
lastUpdateTime: "2024-09-30T20:03:55Z"
message: 'pods "daytrader10-wlo-instanton-545748f787-" is forbidden: unable to
validate against any security context constraint: [provider "anyuid": Forbidden:
not usable by user or serviceaccount, provider restricted-v2: .containers[0].capabilities.add:
Invalid value: "CHECKPOINT_RESTORE": capability may not be added, provider restricted-v2:
.containers[0].capabilities.add: Invalid value: "SETPCAP": capability may not
be added, provider restricted-v2: .containers[0].allowPrivilegeEscalation: Invalid
value: true: Allowing privilege escalation for containers is not allowed, provider
"restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2":
Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden:
not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden:
not usable by user or serviceaccount, pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/app]:
Forbidden: seccomp may not be set, provider "machine-api-termination-handler":
Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2":
Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden:
not usable by user or serviceaccount, provider "hostaccess": Forbidden: not
usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable
by user or serviceaccount, provider "privileged": Forbidden: not usable by user
or serviceaccount]'
reason: FailedCreate
status: "True"
type: ReplicaFailure
observedGeneration: 1
unavailableReplicas: 1
@abdulmateen-1 Thank you for the resource details. Deployment is using the default service account that WLO created. It's not using the custom service accountinstanton-sa
.
Did you configure service account in WebSphereLibertyApplication using .spec.serviceAccount.name
field?
FYI, more details on service account configuration with WLO: https://www.ibm.com/docs/en/was-liberty/base?topic=operator-configuration-examples#cfg-r-commoncomp__cc-serviceacct
We use Websphere Liberty Operator to test new release of Instant-On.
We use the WebSphere Liberty Operator (WLO) to test new releases of Instant-On. While testing Instant-On 24.0.0.10, I encountered an issue where the application pods were not being created.
I was able to deploy the same image successfully using the Open Liberty Operators.