openshift helm installation requires cluster wide administrative privileges

[scheckley]

Hi,

Not sure if this is actually a bug. I've been attempting to deploy clearml on an on-premise openshift cluster from Helm. The deployment is described here:

• https://www.redhat.com/en/blog/a-guide-to-clearml-on-openshift
• https://www.redhat.com/en/blog/how-install-clearml-enterprise-red-hat-openshift

The deployment requires cluster wide administrative privileges:

From redhat:

You need to change the security context constraints for some users. Currently, you must allow broader permissions to deploy ClearML Enterprise, so allow anyuid and privileged permissions to the following users. ClearML does have a non-root option for security, but due to a bug in Helm at the time of this article, you must allow broader permissions. Here's an example:

$ oc adm policy add-scc-to-user anyuid -z clearml-apiserver
$ oc adm policy add-scc-to-user anyuid -z clearml-enterprise-mongodb
$ oc adm policy add-scc-to-user anyuid -z clearml-enterprise-redis
$ oc adm policy add-scc-to-user anyuid -z default
$ oc adm policy add-scc-to-user privileged -z clearml-elastic

clusterrole.rbac.authorization.k8s.io/system:openshift:scc:anyuid added: "clearml-apiserver"
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:anyuid added: "clearml-enterprise-mongodb"
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:anyuid added: "clearml-enterprise-redis"
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:anyuid added: "default"
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:privileged added: "clearml-elastic"

Does anybody know why clearml requires privileges outside of its namespace, and if it's possible to deploy on openshift without this permissions requirement?

Thanks for any help.

[scheckley]

likewise, attempting to deploy a clear-ml agent from helm wants to access /root/.bashrc.

[ainoam]

@scheckley not a bug: Non-root and non-privileged permissions are supported in the ClearML Enterprise Helm Chart