Closed MikeSpreitzer closed 4 months ago
/cc @pdettori /cc @francostellari /cc @KPRoche
@MikeSpreitzer I don't have a chance to look into this while traveling but be careful that setting the user ID causes problems in OCP, I think
@MikeSpreitzer I have tried on an OCP version 4.13.39. Pod did not start and looking at the errors in the RS created by the deployment I found this error:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreate 4m31s (x25 over 6m4s) replicaset-controller Error creating: pods "kube-apiserver-5b4d95448b-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "pipelines-scc": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .containers[0].runAsUser: Invalid value: 65534: must be in the ranges: [1000990000, 1000999999], provider restricted-v2: .containers[1].runAsUser: Invalid value: 65534: must be in the ranges: [1000990000, 1000999999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "ibm-restricted-scc": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "ibm-anyuid-scc": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "log-collector-scc": Forbidden: not usable by user or serviceaccount, provider "ibm-anyuid-hostpath-scc": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "ibm-anyuid-hostaccess-scc": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "ibm-privileged-scc": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
I have found that the range provided in the message [1000990000, 1000999999]
may vary in different OCP installations, so usually it's best not to assign runAsUser
and let OCP assign automatically it within that range.
Summary
This PR changes the kube-apiserver Deployment for k8s type control planes to specify
runAsUser: 65534
, because #195 suggests that something like this is needed.Related issue(s)
This might be part of fixing #195