search

gislab-augsburg / helm-charts

it@M Helm Charts
https://artifacthub.io/packages/search?repo=it-at-m
MIT License
0 stars 0 forks source link

elasticsearch pods unable to validate ... #4

Closed gislab-augsburg closed 4 months ago

gislab-augsburg commented 4 months ago

Aus den statefulsets:

statefulset/dave-elasticsearch-coordinating 
statefulset/dave-elasticsearch-data
statefulset/dave-elasticsearch-ingest

entstehen keine Pods weil unable to validate against any security context constraint:

create Pod dave-elasticsearch-coordinating-0 in StatefulSet dave-elasticsearch-coordinating failed error: pods "dave-elasticsearch-coordinating-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "zammad-scc": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1001: must be in the ranges: [1003100000, 1003109999], provider restricted-v2: .containers[0].seLinuxOptions.level: Invalid value: "": must be s0:c56,c10, provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group, provider restricted: .containers[0].runAsUser: Invalid value: 1001: must be in the ranges: [1003100000, 1003109999], provider restricted: .containers[0].seLinuxOptions.level: Invalid value: "": must be s0:c56,c10, pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/elasticsearch]: Forbidden: seccomp may not be set, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "elasticsearch-scc": Forbidden: not usable by user or serviceaccount, provider "log-collector-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "mattermost-team-edition": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "trident": Forbidden: not usable by user or serviceaccount]
``` mb@nbo00370518:~$ oc get events LAST SEEN TYPE REASON OBJECT MESSAGE 3m34s Normal FailedBinding persistentvolumeclaim/data-dave-elasticsearch-data-0 no persistent volumes available for this claim and no storage class is set 76s Normal Scheduled pod/dave-backend-587994688c-7bglc Successfully assigned dave-external/dave-backend-587994688c-7bglc to capk-wzlvw-worker-holyplace-a20-v2-ffhjk 74s Normal AddedInterface pod/dave-backend-587994688c-7bglc Add eth0 [10.138.36.108/23] from openshift-sdn 74s Normal Pulled pod/dave-backend-587994688c-7bglc Container image "ghcr.io/gislab-augsburg/dave-backend:main-ls1" already present on machine 74s Normal Created pod/dave-backend-587994688c-7bglc Created container dave 73s Normal Started pod/dave-backend-587994688c-7bglc Started container dave 6m29s Normal Scheduled pod/dave-backend-587994688c-g7p8g Successfully assigned dave-external/dave-backend-587994688c-g7p8g to capk-wzlvw-worker-stargate-a20-v2-jxwjl 6m28s Normal AddedInterface pod/dave-backend-587994688c-g7p8g Add eth0 [10.138.56.45/23] from openshift-sdn 107s Normal Pulled pod/dave-backend-587994688c-g7p8g Container image "ghcr.io/gislab-augsburg/dave-backend:main-ls1" already present on machine 106s Normal Created pod/dave-backend-587994688c-g7p8g Created container dave 106s Normal Started pod/dave-backend-587994688c-g7p8g Started container dave 119s Warning BackOff pod/dave-backend-587994688c-g7p8g Back-off restarting failed container dave in pod dave-backend-587994688c-g7p8g_dave-external(1aa7ed04-a039-400c-bc3c-b1110e45d2d0) 95s Normal Killing pod/dave-backend-587994688c-g7p8g Stopping container dave6m30s Normal SuccessfulCreate replicaset/dave-backend-587994688c Created pod: dave-backend-587994688c-g7p8g 76s Normal SuccessfulCreate replicaset/dave-backend-587994688c Created pod: dave-backend-587994688c-7bglc 39m Normal Scheduled pod/dave-backend-6458b8bdbf-f8dvc Successfully assigned dave-external/dave-backend-6458b8bdbf-f8dvc to capk-wzlvw-worker-holyplace-a20-v2-hs9jq 39m Normal AddedInterface pod/dave-backend-6458b8bdbf-f8dvc Add eth0 [10.138.33.61/23] from openshift-sdn 39m Normal Pulling pod/dave-backend-6458b8bdbf-f8dvc Pulling image "ghcr.io/gislab-augsburg/dave-backend:main-ls1" 39m Normal Pulled pod/dave-backend-6458b8bdbf-f8dvc Successfully pulled image "ghcr.io/gislab-augsburg/dave-backend:main-ls1" in 9.304794939s (9.304810705s including waiting) 29m Normal Created pod/dave-backend-6458b8bdbf-f8dvc Created container dave 29m Normal Started pod/dave-backend-6458b8bdbf-f8dvc Started container dave 29m Normal Pulled pod/dave-backend-6458b8bdbf-f8dvc Container image "ghcr.io/gislab-augsburg/dave-backend:main-ls1" already present on machine 19m Warning BackOff pod/dave-backend-6458b8bdbf-f8dvc Back-off restarting failed container dave in pod dave-backend-6458b8bdbf-f8dvc_dave-external(896ddce1-0fc2-42b7-ae95-631b1f24d43b) 39m Normal SuccessfulCreate replicaset/dave-backend-6458b8bdbf Created pod: dave-backend-6458b8bdbf-f8dvc 14m Normal Scheduled pod/dave-backend-68d677d589-hlvsw Successfully assigned dave-external/dave-backend-68d677d589-hlvsw to capk-wzlvw-worker-stargate-a20-v2-jxwjl 14m Normal AddedInterface pod/dave-backend-68d677d589-hlvsw Add eth0 [10.138.56.40/23] from openshift-sdn 14m Normal Pulling pod/dave-backend-68d677d589-hlvsw Pulling image "ghcr.io/gislab-augsburg/dave-backend:main-ls1" 14m Normal Pulled pod/dave-backend-68d677d589-hlvsw Successfully pulled image "ghcr.io/gislab-augsburg/dave-backend:main-ls1" in 10.309567567s (10.30957827s including waiting) 9m40s Normal Created pod/dave-backend-68d677d589-hlvsw Created container dave 9m40s Normal Started pod/dave-backend-68d677d589-hlvsw Started container dave 9m41s Normal Pulled pod/dave-backend-68d677d589-hlvsw Container image "ghcr.io/gislab-augsburg/dave-backend:main-ls1" already present on machine 6m52s Warning BackOff pod/dave-backend-68d677d589-hlvsw Back-off restarting failed container dave in pod dave-backend-68d677d589-hlvsw_dave-external(87e23d69-53c6-4847-b3e1-8be7ca3c172e) 14m Normal SuccessfulCreate replicaset/dave-backend-68d677d589 Created pod: dave-backend-68d677d589-hlvsw 39m Normal ScalingReplicaSet deployment/dave-backend Scaled up replica set dave-backend-6458b8bdbf to 1 14m Normal ScalingReplicaSet deployment/dave-backend Scaled up replica set dave-backend-68d677d589 to 1 6m30s Normal ScalingReplicaSet deployment/dave-backend Scaled up replica set dave-backend-587994688c to 1 77s Normal ScalingReplicaSet deployment/dave-backend Scaled up replica set dave-backend-587994688c to 1 4m5s Warning FailedCreate statefulset/dave-elasticsearch-coordinating create Pod dave-elasticsearch-coordinating-0 in StatefulSet dave-elasticsearch-coordinating failed error: pods "dave-elasticsearch-coordinating-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "zammad-scc": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1001: must be in the ranges: [1003100000, 1003109999], provider restricted-v2: .containers[0].seLinuxOptions.level: Invalid value: "": must be s0:c56,c10, provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group, provider restricted: .containers[0].runAsUser: Invalid value: 1001: must be in the ranges: [1003100000, 1003109999], provider restricted: .containers[0].seLinuxOptions.level: Invalid value: "": must be s0:c56,c10, pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/elasticsearch]: Forbidden: seccomp may not be set, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "elasticsearch-scc": Forbidden: not usable by user or serviceaccount, provider "log-collector-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "mattermost-team-edition": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "trident": Forbidden: not usable by user or serviceaccount] 4m5s Warning FailedCreate statefulset/dave-elasticsearch-data create Pod dave-elasticsearch-data-0 in StatefulSet dave-elasticsearch-data failed error: pods "dave-elasticsearch-data-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "zammad-scc": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1001: must be in the ranges: [1003100000, 1003109999], provider restricted-v2: .containers[0].seLinuxOptions.level: Invalid value: "": must be s0:c56,c10, provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group, provider restricted: .containers[0].runAsUser: Invalid value: 1001: must be in the ranges: [1003100000, 1003109999], provider restricted: .containers[0].seLinuxOptions.level: Invalid value: "": must be s0:c56,c10, pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/elasticsearch]: Forbidden: seccomp may not be set, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "elasticsearch-scc": Forbidden: not usable by user or serviceaccount, provider "log-collector-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "mattermost-team-edition": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "trident": Forbidden: not usable by user or serviceaccount] 4m5s Warning FailedCreate statefulset/dave-elasticsearch-ingest create Pod dave-elasticsearch-ingest-0 in StatefulSet dave-elasticsearch-ingest failed error: pods "dave-elasticsearch-ingest-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "zammad-scc": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1001: must be in the ranges: [1003100000, 1003109999], provider restricted-v2: .containers[0].seLinuxOptions.level: Invalid value: "": must be s0:c56,c10, provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group, provider restricted: .containers[0].runAsUser: Invalid value: 1001: must be in the ranges: [1003100000, 1003109999], provider restricted: .containers[0].seLinuxOptions.level: Invalid value: "": must be s0:c56,c10, pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/elasticsearch]: Forbidden: seccomp may not be set, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "elasticsearch-scc": Forbidden: not usable by user or serviceaccount, provider "log-collector-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "mattermost-team-edition": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "trident": Forbidden: not usable by user or serviceaccount] ```

Die Pods dave-elasticsearch-master-0 und dave-elasticsearch-1 werden aus dem Statefulset dave-elasticsearch-master gebildet:


mb@nbo00370518:~$ oc get pods
NAME                            READY   STATUS    RESTARTS        AGE
dave-backend-679bf548b9-dftwt   1/1     Running   5 (2m39s ago)   15m
dave-elasticsearch-master-0     1/1     Running   0               144m
dave-elasticsearch-master-1     1/1     Running   0               144m
mb@nbo00370518:~$ oc get statefulset
NAME                              READY   AGE
dave-elasticsearch-coordinating   0/2     145m
dave-elasticsearch-data           0/2     145m
dave-elasticsearch-ingest         0/2     145m
dave-elasticsearch-master         2/2     145m

@klml Brauchen wir die anderen?

klml commented 4 months ago

Brauchen wir die anderen?

@gislab-augsburg da gehst ja darum wie du elastic spawnest, aber z.B. bei zammad sind die default auch auf single node, fahre erst mal so.

Ob wir dann multinode fahren müssen, müssten wir dan klären.

gislab-augsburg commented 4 months ago

ok, also so?

3191e4778a23fc5843b50acf3274d20871103b5e

brauch ich bei dave auch

elasticsearch:
  clusterName:

und

  master:
    heapSize: 512m
    masterOnly: false

?

klml commented 4 months ago

@gislab-augsburg musste ausprobieren ;)

gislab-augsburg commented 4 months ago

Geht erstmal so, haben jetzt nur noch den Pod dave-elasticsearch-master-0

gislab-augsburg commented 4 months ago

läuft erstmal