search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.86k stars 5.45k forks source link

argocd-redis does not start after installation on Openshift 4.9 #8731

Open izderadicka opened 2 years ago

izderadicka commented 2 years ago

Describe the bug

After install of ArgoCD (as per getting started), argocd-redis pod was not started due to SCC error - see below.

I"ve found that problem was missing Role (Service Account was there, RoleMapping too, but Role itself was missing), after manually adding this role to argocd namespace, problem was fixed:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: argocd-redis
  namespace: argocd
  labels:
    app.kubernetes.io/component: redis
    app.kubernetes.io/name: argocd-redis
    app.kubernetes.io/part-of: argocd
rules:
  - verbs:
      - use
    apiGroups:
      - security.openshift.io
    resources:
      - securitycontextconstraints
    resourceNames:
      - nonroot

To Reproduce

Expected behavior

argocd-redis should run after install

Version

Paste the output from `argocd version` here.

I'm not running CLI tool yet, but here is output from UI:

Argo CD
v2.3.0+fe42780
Build Date
2022-03-06T06:27:40Z
Go Version
go1.17.6
Go Compiler
gc
Platform
linux/amd64
ksonnet
v0.13.1
jsonnet
v0.18.0
kustomize
v4.4.1 2021-11-11T23:36:27Z
Helm
v3.8.0+gd141386
kubectl
v0.23.1

Logs

Error creating: pods "argocd-redis-85d7dc7667-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid value: 999: must be in the ranges: [1000650000, 1000659999], provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
patjones commented 2 years ago

Hey izderadicka, I'm seeing similar issues with argo on openshift any updates on this?

izderadicka commented 2 years ago

Easiest solution on Openshift is to use their version of Argo - called Openshift DevOps Operator, which works out of box.

I.

On Wed, Jun 8, 2022 at 9:26 PM Pat Jones @.***> wrote:

Hey izderadicka, I'm seeing similar issues with argo on openshift any updates on this?

— Reply to this email directly, view it on GitHub https://github.com/argoproj/argo-cd/issues/8731#issuecomment-1150310503, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAQVUBJTAE4D2LUEWLHHUADVODXXXANCNFSM5QJFTVLQ . You are receiving this because you authored the thread.Message ID: @.***>

ericb-summit commented 2 years ago

That's not really a fix though.

ericb-summit commented 2 years ago

This is what's missing (of course names+namepaces will vary for each install)

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    app.kubernetes.io/component: redis
    app.kubernetes.io/name: argocd-redis
    app.kubernetes.io/part-of: argocd
  name: argo-cd-redis
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - nonroot
  resources:
  - securitycontextconstraints
  verbs:
  - use
...
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app.kubernetes.io/component: redis
    app.kubernetes.io/name: argocd-redis
    app.kubernetes.io/part-of: argocd
  name: argo-cd
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argo-cd
subjects:
- kind: ServiceAccount
  name: argo-cd
...
ericb-summit commented 2 years ago

And here is the original PR commit that fixed argo-cd on openshift: https://github.com/argoproj/argo-cd/pull/4660