chaoss / grimoirelab

GrimoireLab: platform for software development analytics and insights
https://chaoss.github.io/grimoirelab/
GNU General Public License v3.0
498 stars 183 forks source link

OpenShift compatibility #710

Open hanygirgis opened 2 days ago

hanygirgis commented 2 days ago

I'm trying to deploy GrimoireLab on OpenShift (using the supplied Kubernetes scripts), but I'm getting security errors.

For example, when tyring to deploy the esnode Statefulset (in file 12-es-sts-deployment.yml), I had to remove IPC_LOCK and SYS_RESOURCE capabilities, and disable the privilaged more to get it to run. After that, I get the following error :

od esnode-0 in StatefulSet esnode failed error: pods "esnode-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "pipelines-scc": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1001020000, 1001029999], provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1001020000, 1001029999], provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount,

Do you have any suggestions on how to get it to run on OpenShift ?

sduenas commented 2 days ago

Hi @hanygirgis . I've never tried OpenShift before. There's an open PR to deploy the platform on Kubernetes with Helm. If it's possible, I recommend to use this method (or use it as the baseline) because it's more updated to the current infra supported by the project.

You can find the PR here: https://github.com/chaoss/grimoirelab/pull/707

hanygirgis commented 2 days ago

All right, thanks. I'll try out the Helm approach in this PR.

sduenas commented 2 days ago

Keep us posted about if it works or not, so we can know about it.

Eroyi commented 1 day ago

My chart hasn't been tested on OpenShift. OpenShift has enhanced its security capabilities therefore you may encounter several issues related to securityContext.

Also, I recommend using OpenSearch instead of Elasticsearch. The kibana that grimoirelab used is strictly required an outdated elasticsearch-6.8.6.

If you are trying my chart, please remove the appConfig.security map in charts/openshift-node/values.yaml.

sduenas commented 1 day ago

Just for the record, GrimoireLab can be used with OpenSearch. We have a [docker compose] (https://github.com/chaoss/grimoirelab/blob/master/docker-compose/docker-compose-opensearch.yml) for that matter. The dashboards for opensearch can be imported manually from here.

You can also use Bitergia Analytics, which is built on top of GrimoireLab an uses, by default, OpenSearch dashboard with the security layer.

hanygirgis commented 1 day ago

OK, I'll switch to OpenSearch and give it a shot.