While using helm (https://github.com/helm/helm) with OpenShift Origin (3.9) I can't create any new security context constraints (scc). When I try I get:
I0824 23:39:36.201924 1 round_trippers.go:383] POST https://172.30.0.1:443/apis/security.openshift.io/v1/securitycontextconstraintses
--
| I0824 23:39:36.201940 1 round_trippers.go:390] Request Headers:
| I0824 23:39:36.201945 1 round_trippers.go:393] Content-Type: application/json
| I0824 23:39:36.201955 1 round_trippers.go:393] Accept: application/json
| I0824 23:39:36.201965 1 round_trippers.go:393] User-Agent: tiller/v0.0.0 (linux/amd64) kubernetes/$Format
As may be obvious that's not how the scc object is spelled (securitycontextconstraintses vs securitycontextconstraints).
I can create scc's with kubectl and oc, but not with helm. I can also install helm charts using helm template . | oc apply -f -. This is why I initially thought it was helm. It still may be. The only thing close to a clue that I could find is the same misspelling in the shell completion scripts used by the same version I'm using (3.9) -> https://github.com/openshift/origin/blob/release-3.9/contrib/completions/bash/oc#L7751
I've tried searching through all the endpoints that show up in the audit log when I attempt installing a chart using helm, but I can't find this misspelling anywhere.
I believe helm is using the client-go for interacting with the kube API server.
The other reason I think this is openshift related is because I believe that for an scc object kubernetes would see that as an unknown kind and treat it like any custom kind created. I would be very surprised if there was some weird custom code in helm/ kubernetes that misspelled securitycontextconstraintses.
I should add that I have tried this on two separate OpenShift origin 3.9 environments with the same results in both. I have also tried this with numerous different scc's, but here's a simple sample one that I've used recently:
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
name: scc-test
allowPrivilegedContainer: true
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
fsGroup:
type: RunAsAny
supplementalGroups:
type: RunAsAny
users: []
groups: []
Version
oc version
oc v3.9.0+ba7faec-1
kubernetes v1.9.1+a0ce1bc657
features: Basic-Auth GSSAPI Kerberos SPNEGO
And just in case:
helm version:
Client: &version.Version{SemVer:"v2.10.0", GitCommit:"9ad53aac42165a5fadc6c87be0dea6b115f93090", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.10.0", GitCommit:"9ad53aac42165a5fadc6c87be0dea6b115f93090", GitTreeState:"clean"}
And kubectl version:
Client Version: version.Info{Major:"", Minor:"", GitVersion:"v1.9.1+a0ce1bc657", GitCommit:"a0ce1bc", GitTreeState:"clean", BuildDate:"2018-04-11T20:47:54Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"", Minor:"", GitVersion:"v1.9.1+a0ce1bc657", GitCommit:"a0ce1bc", GitTreeState:"clean", BuildDate:"2018-04-11T20:47:54Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
Steps To Reproduce
- Install OpenShift Origin 3.9
- Install helm (https://blog.openshift.com/getting-started-helm-openshift/)
- Create a new chart (
helm create test)
- Remove all the files in
test/templates and put in the scc I included above
helm install test
Current Result
Error: release <release name> failed: the server could not find the requested resource
Expected Result
`securitycontextconstraints "scc-test1" configured
While using helm (https://github.com/helm/helm) with OpenShift Origin (3.9) I can't create any new security context constraints (scc). When I try I get:
As may be obvious that's not how the scc object is spelled (securitycontextconstraintses vs securitycontextconstraints).
I can create scc's with
kubectlandoc, but not with helm. I can also install helm charts usinghelm template . | oc apply -f -. This is why I initially thought it was helm. It still may be. The only thing close to a clue that I could find is the same misspelling in the shell completion scripts used by the same version I'm using (3.9) -> https://github.com/openshift/origin/blob/release-3.9/contrib/completions/bash/oc#L7751I've tried searching through all the endpoints that show up in the audit log when I attempt installing a chart using helm, but I can't find this misspelling anywhere.
I believe helm is using the client-go for interacting with the kube API server.
The other reason I think this is openshift related is because I believe that for an scc object kubernetes would see that as an unknown kind and treat it like any custom kind created. I would be very surprised if there was some weird custom code in helm/ kubernetes that misspelled securitycontextconstraintses.
I should add that I have tried this on two separate OpenShift origin 3.9 environments with the same results in both. I have also tried this with numerous different scc's, but here's a simple sample one that I've used recently:
Version
And just in case:
helm version:And
kubectl version:Steps To Reproduce
helm create test)test/templatesand put in the scc I included abovehelm install testCurrent Result
Error: release <release name> failed: the server could not find the requested resourceExpected Result
`securitycontextconstraints "scc-test1" configured