Open himanshu-cockroach opened 9 months ago
Just checking to see if the cert-manager was installed prior to the helm chart installation?: https://github.com/cockroachdb/helm-charts#installation-of-helm-chart-with-cert-manager
@harshn08 yes, everything as a prerequisite was installed.
@himanshu-cockroach Which OpenShift version did you start observing this issue from? And has this been observed in any other OpenShift versions than the one tested on?
@harshn08 The last time I tested this was on 4.13. However I don't think it has to do much with openshift cluster version. Although, one thing I'm almost certain about is that this issue most probably got introduced after this PR went in.
PROBLEM:
Currently, helm chart installation fails with with the following values enabled:
With the following values, when we try to create an instance after successful operator installation, stateful set is created but no pods are scheduled. While trying to describe the stateful set, we get the following output.
This is an issue because the user that is defined inside the
securityContext
for pod templates in stateful set for the helm chart does not have required permission for the workloads to be scheduled.We cannot have any SCCs defined in CSV for the helm chart operator since SCC uses
serviceAccount
name which can be provided seperately by the user in helm values and operator gets created beforehand.POSSIBLE SOLUTIONS:
As a workaround, we can apply a SecurityContextConstraint. Now OCP already provides a number of SCCs with defined permissions but none of them except
privileged
one works for the service account which is not recommended as it is the most relaxed SCC and should be used only for cluster administration. (NOT RECOMMENDED)We can add define a custom SCC which will be a part of templates that will contain only the minimum permissions required to run all the cockroach related workloads and apply it conditionally if the installation is being done on an OCP cluster.