Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deployment no longer works with OpenShift #96

Open
psav opened this issue Sep 20, 2022 · 3 comments
Open

Deployment no longer works with OpenShift #96

psav opened this issue Sep 20, 2022 · 3 comments

Comments

@psav
Copy link

psav commented Sep 20, 2022

Have been testing against Openshift 4.11 and the pods won't spin up citing

create Pod test-postgresql-0 in StatefulSet test-postgresql failed error: pods "test-postgresql-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid value: 1001: must be in the ranges: [1001300000, 1001309999], provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "pcap-dedicated-admins": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "splunkforwarder": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

I had tried a values file looking like the following

applicationSettings:
  initialModel: "https://github.com/RasaHQ/rasa-x-demo/blob/master/models/model.tar.gz?raw=true"
postgresql:
  volumePermissions:
    securityContext:
      runAsUser: "auto"
  securityContext:
    enabled: false
  shmVolume:
    chmod:
      enabled: false
nginx:
  image:
    name: nginxinc/nginx-unprivileged
    port: 8080

Deleted my namespace and re-ran the installation - but the same error persists. Looking in the stateful set, it does appear as though uid 1001 is used for the user, which is not allowed in OpenShift.

@BlueCog
Copy link

BlueCog commented Sep 20, 2022

Specific for postgres i have:

  postgresql:
    containerSecurityContext:
      enabled: false
    securityContext:
      enabled: false

And there is also the global setting securityContext -> securityContext: false you can set. See: https://github.com/RasaHQ/rasa-x-helm/blob/main/charts/rasa-x/values.yaml#L882

@kaitlynabdo
Copy link

Running into the same issue. I tried the same thing as @psav (my values file looked the same) and got the same error. I also used this values file from rasa https://github.com/RasaHQ/helm-charts/blob/main/charts/rasa/values.yaml and changed those nginx and postgresql values. Once I did that, the error says connection refused and failed to connect upstream. Just following the rasa documentation alone, it doesn’t even start up the Postgresql. Creating an anyuid SCC to account for the permission issue since openshift doesn’t allow for user value 1001 got a postgresql pod to run but it ultimately failed. It doesn’t seem like the values file doesn’t actually change anything when looking at the yml files in openshift clusters.

@thoraxe
Copy link

thoraxe commented Nov 10, 2022

I was with @kaitlynabdo when we were doing the testing mentioned -- the PostgreSQL pod failed with an inability to write to the (default?) data folder. I think the PostgreSQL part of the chart for running on top of OCP is a bit borked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants