Closed shreddedbacon closed 7 months ago
Example of the error, I tried adding the ServiceAccountName: lagoon-deployer
to build pods but this did not change anything. I guess there is something else. I don't know enough about SCCs to know the solution
Error from server (Forbidden): pods "lagoon-build-1venpm" is forbidden: unable to validate against any security context
constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable
by user or serviceaccount, provider "pcap-dedicated-admins": Forbidden: not usable by user or serviceaccount, provider
"hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler":
Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or
serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "splunkforwarder":
Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or
serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
Closing this, the issue is still probably present, but we don't deploy much into openshift so closing this as won't fix for now unless the problem is reported via community users.
The controller should start the
build
pod using a different service account, preferably the one that owns the token being mounted into the pod