-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Having install issue with Linkerd 2.0 on OpenShift #1655
Comments
For fix errors: Need execute: |
Awesome, I'll open an issue to get that added to the docs! |
Having the same problem. Executing the provided commands works for controller and prometheus, but the grafana and web pods are not starting with the same error. After some attempts I found that the following works I think this is related to the init-container trying to modify iptables. Should that be reverted later on? |
@lostiniceland there's probably a more specific policy that we can use. I went down the podsecuritypolicy hole last week. If there was a SCC YAML we could add to the docs, that would be ideal ... I just don't have an openshift cluster around to play with right now. |
Here is what I am working with... It's restricted + NET_ADMIN... and I just change the uid from 2102 to something in the valid range for the namespace in the installation YAMLs both as the securityContext and the arguments for the proxies. We are going to test more tomorrow to see if this is an approach that will work. THAT SAID, I am still quite reticent to give out cap NET_ADMIN to any individual user who is sharing a cluster with other projects, other business units, and other applications... It's clearly not "all about the multitenancy"
|
Before anyone else sees this as a solution, it's the kube equivalent of |
Fair enough. Thats why I did not investigate Linkerd on Openshift at the moment. I hope we can get a clean setup (maybe an operator for Linkerd). |
NB. It's not a criticism of the idea itself to see if it fixes the permission to then distil it again. I'm just the resident [insert evil regime] about privileged mode because it's the first thing every user I support asks me for as soon as they hit a permission issue and it's 99.99999999999999999999999999999999% of the time totally unnecessary :) eg. the docker PHP container still runs as root 🤦♂️ |
@calston @lostiniceland @mshutt @mhausenblas linkerd stat pods --all-namespaces But i try installed Linkerd in Katakoda's OpenShift and all works. |
Katakoda scenario is now broken due to |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
what is the accepted solution here? is it
? |
i found errors related to scc for all of the service accounts and did the install this way...
pods still refused to show up with no logs at all, so afaict... linkerd is complete incompatible with openshift 4.5... |
To reproduce my install issue, please use this Katacoda scenario. It seems like the pod security contexts need to be aligned with OpenShift's security context constraints. Certain caps are not set or allowed. I could monkey patch as I did with stuff in previous steps but I think a dedicated version might be more sustainable?
CC: @grampelberg
The text was updated successfully, but these errors were encountered: