Vitess operator is unable to deploy vitess on Open Shift cluster

[Murali-P]

Feature Description

Earlier the vitess operator existed on the red hat operator hub. Now it is not available. I tried to install on openshift version. [root@bastion ~]# oc - version Client Version: 4.10.60 Server Version: 4.10.60 Kubernetes Version: v1.23.17+16bcd69 [root@bastion ~]#

I have used the initial_cluster.yaml file.Below error occurs on vitess operator logs. [(https://stackoverflow.com/questions/76651126/unable-to-install-vitess-using-vitess-operator-on-red-hat-openshift-server)]

{"level":"error","ts":"2023-07-20T08:05:26Z","msg":"Reconciler error","controller":"vitessshard-controller","object":{"name":"example-commerce-x-x-0f5afee6","namespace":"test"},"namespace":"test","name":"example-commerce-x-x-0f5afee6", "reconcileID":"703ca0b5-4c0d-4c19-9f43-a58a7a2d6d63","error":"pods \"example-vttablet-zone1-2548885007-46a852d0\" is forbidden: unable to validate against any security context constraint: [provider \"anyuid\": Forbidden: not usable by user or serviceaccount, provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{999}: 999 is not an allowed group, spec.initContainers[0].securityContext.runAsUser: Invalid value: 999: must be in the ranges: [1000700000, 1000709999], spec.initContainers[1].securityContext.runAsUser: Invalid value: 999: must be in the ranges: [1000700000, 1000709999], spec.containers[0].securityContext.runAsUser: Invalid value: 999: must be in the ranges: [1000700000, 1000709999], spec.containers[1].securityContext.runAsUser: Invalid value: 999: must be in the ranges: [1000700000, 1000709999], spec.containers[2].securityContext.runAsUser: Invalid value: 999: must be in the ranges: [1000700000, 1000709999], provider \"nonroot\": Forbidden: not usable by user or serviceaccount, provider \"hostmount-anyuid\": Forbidden: not usable by user or serviceaccount, provider \"machine-api-termination-handler\": Forbidden: not usable by user or serviceaccount, provider \"hostnetwork\": Forbidden: not usable by user or serviceaccount, provider \"hostaccess\": Forbidden: not usable by user or serviceaccount, provider \"node-exporter\": Forbidden: not usable by user or serviceaccount, provider \"privileged\": Forbidden: not usable by user or serviceaccount]","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/ controller-runtime@v0.14.3/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.3/pkg/internal/controller/controller.go:274\ nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.3/pkg/internal/controller/controller.go:235"}

Use Case(s)

Installation on various platform should be supported. On-premise installation on red hat open shift server.

[mattlord]

Hi @Murali-P,

I don't believe that this is a Vitess Operator bug/issue, but rather an OpenShift configuration issue:

• https://github.com/kubernetes-sigs/vsphere-csi-driver/issues/1418
• https://www.redhat.com/sysadmin/security-context-constraint-permissions
• https://access.redhat.com/discussions/6668441
• https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html

I'm closing this for now. If you feel that there's something specific that we can change in the Vitess Operator itself then please let us know and we can re-open this.

Thanks!