Test/fix RBAC for OpenShift4

gluster / gluster-subvol

Subdirectories of Gluster volumes as PVs in Kubernetes and OpenShift

Apache License 2.0

11 stars 6 forks source link

Test/fix RBAC for OpenShift4 #44

Closed JohnStrunk closed 5 years ago

JohnStrunk commented 5 years ago

The current RBAC rules work for kube, but OpenShift will likely be different.

JohnStrunk commented 5 years ago

Problems encountered (SCC related):

spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used
spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1000460000, 1000469999]

Other: release supervole200-d1f9sy8epf2tt4ylw491ktbb6 failed: persistentvolumes "supervole200-d1f9sy8epf2tt4ylw491ktbb6-recycler" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can''t set finalizers on: , <nil>

JohnStrunk commented 5 years ago

Granting cluster-admin to the operator takes care of the "other" error from above, and recycler PVs are properly created.

ClusterRole/gluster-subvol-operator already had * on persistentvolumes. Perhaps it was getting stopped by SCC as well?

Recyclers are now stuck on SCC also:

spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1000460000, 1000469999]

JohnStrunk commented 5 years ago

Now the recyclers won't run because they can't reserve 10Mi ephemeral-storage.

JohnStrunk commented 5 years ago

ephemeral-storage request/limits are disabled in OCP currently: https://github.com/openshift/api/blob/275768afc8f66b79aeb12debf94ffc85255104ad/config/v1/types_feature.go#L76