search

pingidentity / pingidentity-devops-getting-started

Ping Identity Devops Program
https://devops.pingidentity.com
Other
97 stars 135 forks source link

pf-engine installed on OPENSHIFT : error Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid" #312

Closed gsustek closed 2 years ago

gsustek commented 2 years ago

Describe the bug Bug is follow up to the prior closed bug: https://github.com/pingidentity/pingidentity-devops-getting-started/issues/257

Hi, there is still one bug.... init container of engine still has unconfigurable runAsUser value 9031 and openshift then complaining about security constraint violation. see below

" 18s Warning FailedCreate replicaset/team-cpc2-pingfederate-pingfederate-engine-58f87ffdcf Error creating: pods "team-cpc2-pingfederate-pingfederate-engine-58f87ffdcf-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.initContainers[0].securityContext.runAsUser: Invalid value: 9031: must be in the ranges: [1002970000, 1002979999], provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "log-collector-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "nfs-storage-scc": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount] "

deployment config in openshift spec: restartPolicy: Always initContainers:

values.yaml

pingfederate-admin: enabled: true ingress: annotations: nginx.ingress.kubernetes.io/backend-protocol: HTTPS defaultDomain: apps.projects.yyyyy.zzzzz.com enabled: false container: resources: requests: cpu: 100m memory: 100Mi pingfederate-engine: enabled: true container: resources: requests: cpu: 100m memory: 100Mi global: container: resources: requests: cpu: 100m memory: 100Mi limits: cpu: 2 memory: 4Gi
workload: securityContext: fsGroup: 1002970000 runAsUser: 1002970000 runAsGroup: 0

seLinuxOptions:

level: 's0:c29,c9'

level: 's0:c49,c29'

  # allowPrivilegeEscalation: false
  #  capabilities:
  #  drop:
  #  - ALL

Regards, Goran.

wellthatsjames commented 2 years ago

Are you able to try deploying without specifying the UID? We do in the Dockerfile for other platforms, but with OpenShift it should be fine to deploy without specifying or requiring the UID as the container should still work by group file ownership/permissions.

gsustek commented 2 years ago

if i remove it, then i got this error: provider "anyuid": Forbidden:...

[provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.initContainers[0].securityContext.runAsUser: Invalid value: 9031: must be in the ranges: [1002970000, 1002979999], provider "nonroot": Forbidden:

gsustek commented 2 years ago

the workaround is to set hardcoded 9031 port from init container to any port from this range [1002970000, 1002979999] like i did for : securityContext: fsGroup: 1002970000 runAsUser: 1002970000

So whone of the possible solution would be to make this attribute configurable also in iint container, and not hardcoded like now...

gsustek commented 2 years ago

anything new on that topic? @wellthatsjames

arnaudlacour commented 2 years ago

apologies for the delayed answer. Since you opened this ticket the team has fully qualified the images on openshift. If you feel like the recent improvements have not addressed this issue, please reopen it.