search

idealista / prom2teams

prom2teams is an HTTP server built with Python that receives alert notifications from a previously configured Prometheus Alertmanager instance and forwards it to Microsoft Teams using defined connectors
Apache License 2.0
268 stars 84 forks source link

[SUPPORT] Openshift - 101 is not an allowed group #317

Closed abdennour closed 1 year ago

abdennour commented 1 year ago

Description

Using the provided helm chart, the chart cannot be installed successfully on OCP 4.x.

Additional Information

it's saying:

k get events

Error creating: pods "prom2teams-xxxxxx-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{101}: 101 is not an allowed group, spec.containers[0].securityContext.runAsUser: Invalid value: 101: must be in the ranges: [10004xxx00, 10004xxx99], provider "restricted"
felicianmv commented 1 year ago

Openshift is using very restrictive default security context, the solution i'm using is to create a dedicated service account, assign a different scc to it and modify deployment template to use this service account. You can read more about security context on Openshift here: https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids

To create service account and assign scc to it ( make sure you are in the project where you want to deploy the chart):

[helm]$ oc create sa prom2teams
serviceaccount/prom2teams created

[helm]$ oc adm policy add-scc-to-user anyuid -z prom2teams
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:anyuid added: "prom2teams"

Modify deployment template ( helm/templates/deployment.yaml ) and add the serviceAccountName attribute:

...
      securityContext:
        runAsNonRoot: {{ if eq (int .Values.securityContext.runAsUser) 0 }}false{{ else }}true{{ end }}
        runAsUser: {{ .Values.securityContext.runAsUser }}
        runAsGroup: {{ .Values.securityContext.runAsGroup }}
        fsGroup: {{ .Values.securityContext.fsGroup }}
    {{- end }}
      serviceAccountName: prom2teams

Last step is to install the chart: [helm]$ helm upgrade --install prom2teams --namespace aiot-test /path/to/helm --set prom2teams.connector='https://teams/webhook' --set prom2teams.loglevel=DEBUG --set image.tag=latest

Don't forget to expose the service via a route, if you want to access app from outside cluster.

PROM2TEAMS team: maybe you can update helm chart to allow service account customization.

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.