🐛 Try running kube-apiserver in k8s type cp as user 65534

MikeSpreitzer commented 4 months ago

Summary

This PR changes the kube-apiserver Deployment for k8s type control planes to specify runAsUser: 65534, because #195 suggests that something like this is needed.

Related issue(s)

This might be part of fixing #195

MikeSpreitzer commented 4 months ago

/cc @pdettori /cc @francostellari /cc @KPRoche

francostellari commented 4 months ago

@MikeSpreitzer I don't have a chance to look into this while traveling but be careful that setting the user ID causes problems in OCP, I think

pdettori commented 4 months ago

@MikeSpreitzer I have tried on an OCP version 4.13.39. Pod did not start and looking at the errors in the RS created by the deployment I found this error:

 Type     Reason        Age                    From                   Message
  ----     ------        ----                   ----                   -------
  Warning  FailedCreate  4m31s (x25 over 6m4s)  replicaset-controller  Error creating: pods "kube-apiserver-5b4d95448b-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "pipelines-scc": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .containers[0].runAsUser: Invalid value: 65534: must be in the ranges: [1000990000, 1000999999], provider restricted-v2: .containers[1].runAsUser: Invalid value: 65534: must be in the ranges: [1000990000, 1000999999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "ibm-restricted-scc": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "ibm-anyuid-scc": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "log-collector-scc": Forbidden: not usable by user or serviceaccount, provider "ibm-anyuid-hostpath-scc": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "ibm-anyuid-hostaccess-scc": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "ibm-privileged-scc": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

I have found that the range provided in the message [1000990000, 1000999999] may vary in different OCP installations, so usually it's best not to assign runAsUser and let OCP assign automatically it within that range.

kubestellar / kubeflex

🐛 Try running kube-apiserver in k8s type cp as user 65534 #234

Summary

Related issue(s)