search

grafana / helm-charts

Apache License 2.0
1.67k stars 2.28k forks source link

Does not deploy on openshift/OKD #261

Open webrod opened 3 years ago

webrod commented 3 years ago

I'm running this command to deploy, specifying securityContext as openshift requires number within a range: helm install grafana grafana/grafana -n grafana --set persistence.storageClassName="thin" --set persistence.enabled=true --set adminPassword='mypassord' --values ${HOME}/environment/grafana/grafana.yaml **--set securityContext.runAsUser=1000640000,securityContext.runAsGroup=1000640000,securityContext.fsGroup=1000640000**

however, pods do not start with this error linked to the initContainer:

message: 'pods "grafana-75bb78bd6b-" is forbidden: unable to validate against
      any security context constraint: [spec.initContainers[0].securityContext.runAsUser:
      Invalid value: 0: must be in the ranges: [1000640000, 1000649999]]'

It is hardcoded in the template, I think it is here:

https://github.com/grafana/helm-charts/blob/main/charts/grafana/templates/_pod.tpl
 securityContext:
      runAsNonRoot: false
      runAsUser: 0
    command: ["chown", "-R", "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }}", "/var/lib/grafana"]

So I cannot override this right? any reason why this is hardcoded?

ngalanis819 commented 3 years ago

Further to the above, the podsecurity policy is wrong as well. 

runAsUser:
  rule: 'MustRunAsNonRoot'

Even if the runAsNonRoot: false is removed from the securityContext the pod security policy requires a change.

etiennetremel commented 3 years ago

Experiencing the same with Prometheus operator which use this Grafana chart:

  Warning  FailedCreate  17s (x14 over 58s)  replicaset-controller  Error creating: pods "prometheus-operator-grafana-5fbd55cc4f-" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.initContainers[0].securityContext.runAsNonRoot: Invalid value: false: must be true]

Our temporary solution for now was to disable the container:

initChownData:
  enabled: false
antoniocascais commented 3 years ago

We just upgraded grafana chart from v6.4.5 to v6.8.2 and we are having the same problem:

    message: 'pods "grafana-5dc85d447d-" is forbidden: PodSecurityPolicy: unable to
      admit pod: [spec.initContainers[0].securityContext.runAsNonRoot: Invalid value:
      false: must be true spec.volumes[1]: Invalid value: "persistentVolumeClaim":
      persistentVolumeClaim volumes are not allowed to be used spec.initContainers[0].securityContext.runAsUser:
      Invalid value: 0: must be in the ranges: [{1000 65535}]]'

We tried @etiennetremel 's suggestion of disabling initChownData and that indeed fixed the deployment, however this is not the ideal scenario.

Can someone else have a look at this issue, please?

edit: @webrod can you change the issue name to be more clear? Maybe add [Grafana] as a tag and then something saying "PSP seems to be wrong" or whatever?