You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The affected chart is the postgresql chart. (stable/postgresql)
Description
I stumbled across issues regarding the SecurityContext using developer trial at openshift online: https://www.openshift.com/trial/
It basically disallows root containers (Openshift default) and applies a SecurityContextConstraint on you assigning you a range of usable uids. So if you do a
Warning FailedCreate 11s (x13 over 29s) statefulset-controller create Pod your-dog-postgresql-0 in StatefulSet your-dog-postgresql failed error: pods "your-dog-postgresql-0" is forbidden: unable to validate against any security context constraint: [spec.initContainers[0].securityContext.securityContext.runAsUser: Invalid value: 1001: must be in the ranges: [1033980000, 1033989999] spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 1001: must be in the ranges: [1033980000, 1033989999]]
create Pod washing-olm-postgresql-0 in StatefulSet washing-olm-postgresql failed error: pods "washing-olm-postgresql-0" is forbidden: unable to validate against any security context constraint: [fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group]
No hint which fsGroup is allowed nowhere - I just assumed it could as well omit it for my use case since all processes share the same uid?! (That would be my first question)
So it looks like its taking my long uid and converts it to a scientific notation and results to chown failing. Any idea i can work around that? On a shared platform like openshift online you don't have the option to take differen uids.
Steps to reproduce the issue:
Create developer account at openshift online
Create a postgres cluster with commands described above
run into errors
Describe the results you received:
The init-chmod-data pod fails with long uids assigned by openshift online
Describe the results you expected:
init-chmod-data container executing with long uids
Additional information you deem important (e.g. issue happens only occasionally):
THAT was helpful, i didn't thought of a parsing issue in helm, or at least i didn't find that issue. so that worked - container's running fine.... It somehow bothers me that it'd only work with an empty fsGroup.... although it seemingly works fine without i'd like to understand the issue.... Anyway thanks for that hint!
I am glad it was helpful for you! I already hit that same issue with the bitnami/kafka chart in the past but in that case, the workaround was different as the conflictive values were set by default in the values.yaml.
Basically we define the values as "24235435646_" (so it is a string), and later on when consuming the big number we replace "_" by "". (Example here: https://github.com/bitnami/charts/blob/master/bitnami/kafka/templates/statefulset.yaml#L185)
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.
Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.
Which chart:
The affected chart is the postgresql chart. (stable/postgresql)
Description
I stumbled across issues regarding the SecurityContext using developer trial at openshift online: https://www.openshift.com/trial/
It basically disallows root containers (Openshift default) and applies a SecurityContextConstraint on you assigning you a range of usable uids. So if you do a
You'll yield this error on the StatefulSet
So easy fix:
Next issue in the statefulset:
No hint which fsGroup is allowed nowhere - I just assumed it could as well omit it for my use case since all processes share the same uid?! (That would be my first question)
So try again without fsGroup set:
Yay, the pvc gets created, as well as a pod running the
init-chmod-data
init pod.But that fails because of
So it looks like its taking my long uid and converts it to a scientific notation and results to
chown
failing. Any idea i can work around that? On a shared platform like openshift online you don't have the option to take differen uids.Steps to reproduce the issue:
Describe the results you received:
The init-chmod-data pod fails with long uids assigned by openshift online
Describe the results you expected:
init-chmod-data container executing with long uids
Additional information you deem important (e.g. issue happens only occasionally):
Version of Helm and Kubernetes:
helm version
:kubectl version
:The text was updated successfully, but these errors were encountered: