search

uselagoon / remote-controller

A group of controllers for handling Lagoon builds and tasks in Kubernetes or Openshift
5 stars 1 forks source link

Openshift 4 Permission error when patching build pods #104

Closed shreddedbacon closed 7 months ago

shreddedbacon commented 2 years ago 
Error from server (Forbidden): pods "lagoon-build-h46jdp" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "pcap-dedicated-admins": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "splunkforwarder": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

The controller should start the build pod using a different service account, preferably the one that owns the token being mounted into the pod

shreddedbacon commented 2 years ago

Example of the error, I tried adding the ServiceAccountName: lagoon-deployer to build pods but this did not change anything. I guess there is something else. I don't know enough about SCCs to know the solution

Error from server (Forbidden): pods "lagoon-build-1venpm" is forbidden: unable to validate against any security context 
constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable
 by user or serviceaccount, provider "pcap-dedicated-admins": Forbidden: not usable by user or serviceaccount, provider 
"hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": 
Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or 
serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "splunkforwarder": 
Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or 
serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
shreddedbacon commented 7 months ago

Closing this, the issue is still probably present, but we don't deploy much into openshift so closing this as won't fix for now unless the problem is reported via community users.