mongodb fail - unable to validate against any security context constraint

[medined]

I am trying to install monocular into v3.11 OpenShift. After running the helm install, I am seeing the following message for the monocular-mongodb deployment. Of course, other deployments are failing because Mongo is not available.

Error creating: pods "monocular-mongodb-95cfc657f-" is forbidden: unable to validate 
against any security context constraint: [fsGroup: Invalid value: []int64{1001}: 1001 
is not an allowed group spec.containers[0].securityContext.securityContext.runAsUser: 
Invalid value: 1001: must be in the ranges: [1000480000, 1000489999]]

[prydonius]

@medined can you try setting mongodb.securityContext.enabled=false when installing Monocular?

[medined]

Are you suggesting the following sequence of steps after ssh'ing into the master node? Especially the set parameter of the helm command? I think I might be handling the adm policy wrong. The information seems conflicting. I'll run these command tonight on a fresh OKD cluster.

First SSH into the master node. Then:

oc login -u system:admin

export TILLER_NAMESPACE=tiller
oc new-project tiller
oc adm policy add-scc-to-user anyuid -z default

curl -s https://storage.googleapis.com/kubernetes-helm/helm-v2.9.0-linux-amd64.tar.gz | tar xz
cd linux-amd64

./helm init --client-only
./helm repo add monocular https://helm.github.io/monocular

oc new-project office
./helm install \
  --set  mongodb.securityContext.enabled=false \
  --name monocular \
  --namespace office \
  monocular/monocular

oc expose svc monocular-monocular-api
oc expose svc monocular-monocular-ui

[prydonius]

@medined that looks good to me. Note you will need to access the Monocular UI and chartsvc service on the same host/IP using an Ingress resource for this to also work correctly: https://github.com/helm/monocular/blob/c9161bc61fa2cb320b89753aa0d72b359eb5b88c/chart/monocular/templates/ingress.yaml

[medined]

I don't yet understand your comment about using an Ingress service. I am still researching. However, I think I have made a bit of progress since I can reach the monocular UI but the middle part of the page just has the spinning circle icon. Does that mean the app is waiting for a response from a service?

My installation steps have changed so let me restate them. After SSH'ing to the master node:

curl -s https://storage.googleapis.com/kubernetes-helm/helm-v2.9.0-linux-amd64.tar.gz | tar xz
cd linux-amd64

export TILLER_NAMESPACE=tiller
oc login -u admin
oc new-project tiller

oc create serviceaccount tiller

# The role binding command needs to be run as the system administrator.
oc login -u system:admin
oc create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=tiller:tiller
oc login -u admin

./helm init  --service-account tiller

./helm repo add monocular https://helm.github.io/monocular
./helm repo update

./helm install stable/nginx-ingress --version 0.31.0

./helm install \
  --set  mongodb.securityContext.enabled=false \
  --name monocular \
  monocular/monocular

oc expose svc monocular-monocular-ui

# display the monocular Host
oc get route --output=json | jq -r '.items[0].spec.host'

[prydonius]

the middle part of the page just has the spinning circle icon. Does that mean the app is waiting for a response from a service?

Yes, this is expected if you access the UI directly. The problem is that the frontend is configured to talk to the API at /api, but when you just use the UI service the API service won't be exposed there. This is why you need the Ingress resource and a compatible ingress controller (more info about Ingress here: https://kubernetes.io/docs/concepts/services-networking/ingress/). Unfortunately this is a requirement to get Monocular working.