search

kcp-dev / helm-charts

Helm chart repo for KCP
Apache License 2.0
5 stars 22 forks source link

kcp ReplicaSet is rejected in OpenShift #52

Closed MikeSpreitzer closed 5 months ago

MikeSpreitzer commented 1 year ago

I tried using the Helm chart to create a Helm "release" in an OpenShift cluster, and the ReplicaSet for the kcp server is unacceptable to OpenShift.

I put the following in my values YAML:

externalHostname: "some-long.stuff.containers.appdomain.cloud"
kcp:
  volumeClassName: "default"
kcpFrontProxy:
  openshiftRoute:
    enabled: true

I found that the ReplicaSet for kcp never got any Pod object created. A kubectl describe of that ReplicaSet included the following Event, which explains the problem (line breaks added for readability).

  Warning  FailedCreate  42s (x17 over 6m10s)  replicaset-controller  
Error creating: pods "kcp-75d5778b7d-" is forbidden: 
unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{65532}: 65532 is not an allowed group,
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "ibm-restricted-scc": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "ibm-anyuid-scc": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "ibm-anyuid-hostpath-scc": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "ibm-anyuid-hostaccess-scc": Forbidden: not usable by user or serviceaccount,
provider "node-exporter": Forbidden: not usable by user or serviceaccount,
provider "ibm-privileged-scc": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]
MikeSpreitzer commented 1 year ago

I tried a few work-arounds, none with full success, described in Slack starting at https://kubernetes.slack.com/archives/C021U8WSAFK/p1691118703785549

MikeSpreitzer commented 1 year ago

@pdettori said that this is fixed in main. I must admit that I do not remember whether I tested main or the latest release.

embik commented 1 year ago

@MikeSpreitzer since #54, you should now have the flexibility to override security contexts as needed, e.g. with {}. That should help with this issue at hand.

pdettori commented 1 year ago

@embik thanks, would it be possible to publish a new release for the helm chart (e.g. 0.2.6) since the latest release (0.2.5) does not include the change and so setting security context is still not possible following the instructions for usage in https://github.com/kcp-dev/helm-charts#usage

embik commented 1 year ago

@pdettori I believe the securityContext changes mentioned in this specific issue never made it into a release (0.2.5 is from February and the commit that broke OpenShift deployment as far as I understood must have been https://github.com/kcp-dev/helm-charts/commit/be75345f70e6819991145801fd8e4ac44d4c1ee4). Or is this a separate concern just related to being able to set the securityContext at all?

In any case, I think we are planning to release 0.3.0 somewhat soonish since there are one or two breaking changes either merged already or planned. At that point the chart should be much more flexible.

embik commented 1 year ago

@pdettori FYI, chart version 0.3.0 has been released. Maybe someone can check if this issue is still present / cannot be fixed by overriding the securityContext in values.yaml.

kcp-ci-bot commented 7 months ago

Issues go stale after 90d of inactivity. After a furter 30 days, they will turn rotten. Mark the issue as fresh with /remove-lifecycle stale.

If this issue is safe to close now please do so with /close.

/lifecycle stale

kcp-ci-bot commented 6 months ago

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

/lifecycle rotten

kcp-ci-bot commented 5 months ago

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten.

/close

kcp-ci-bot commented 5 months ago

@kcp-ci-bot: Closing this issue.

In response to [this](https://github.com/kcp-dev/helm-charts/issues/52#issuecomment-2170639776): >Rotten issues close after 30d of inactivity. >Reopen the issue with `/reopen`. >Mark the issue as fresh with `/remove-lifecycle rotten`. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.