Sample SecurityContextConstraints does not seem to work certain Enterprise Openshift platforms #47
Description
Sample SecurityContextConstraints provided in sidb does not seem to work on IBM Cloud Openshift container Platform
https://github.com/oracle/oracle-database-operator/blob/main/config/samples/sidb/openshift_rbac.yaml
Can someon help me with this, as i am not able to figure out why the CR is not able to find the sidb-scc
oc get SecurityContextConstraints | grep sidb
sidb-scc false ["*"] RunAsAny MustRunAsRange MustRunAs MustRunAs <no value> false ["awsElasticBlockStore","azureDisk","azureFile","cephFS","cinder","configMap","csi","downwardAPI","emptyDir","ephemeral","fc","flexVolume","flocker","gcePersistentDisk","gitRepo","glusterfs","iscsi","nfs","persistentVolumeClaim","photonPersistentDisk","portworxVolume","projected","quobyte","rbd","scaleIO","secret","storageOS","vsphere"]
oc get sa | grep sidb
sidb-sa 2 9m32s
oc get role | grep sidb
use-sidb-scc 2023-03-05T04:45:03Z
oc get rolebinding | grep sidb
use-sidb-scc Role/use-sidb-scc 5m16s
Stack trace:
oc get SingleInstanceDatabase prebuiltdb-sample
NAME EDITION STATUS VERSION CONNECT STR OEM EXPRESS URL
prebuiltdb-sample Express Pending Unavailable Unavailable Unavailable
status:
cloneFrom: Unavailable
conditions:
- lastTransitionTime: "2023-03-05T04:53:44Z"
message: 'pods "prebuiltdb-sample-f58im" is forbidden: unable to validate against
any security context constraint: [provider "anyuid": Forbidden: not usable by
user or serviceaccount, provider "pipelines-scc": Forbidden: not usable by user
or serviceaccount, provider "db2u-c-db2wh-iot-scc": Forbidden: not usable by
user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid
value: 54321: must be in the ranges: [1000730000, 1000739999], provider "ibm-restricted-scc":
Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden:
not usable by user or serviceaccount, provider "sidb-scc": Forbidden: not usable
by user or serviceaccount, provider "ibm-anyuid-scc": Forbidden: not usable
by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable
by user or serviceaccount, provider "ibm-anyuid-hostpath-scc": Forbidden: not
usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable
by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user
or serviceaccount, provider "nfd-worker": Forbidden: not usable by user or serviceaccount,
provider "ibm-anyuid-hostaccess-scc": Forbidden: not usable by user or serviceaccount,
provider "nvidia-driver": Forbidden: not usable by user or serviceaccount, provider
"nvidia-gpu-feature-discovery": Forbidden: not usable by user or serviceaccount,
provider "nvidia-mig-manager": Forbidden: not usable by user or serviceaccount,
provider "nvidia-node-status-exporter": Forbidden: not usable by user or serviceaccount,
provider "nvidia-operator-validator": Forbidden: not usable by user or serviceaccount,
provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider
"ibm-privileged-scc": Forbidden: not usable by user or serviceaccount, provider
"nvidia-dcgm": Forbidden: not usable by user or serviceaccount, provider "nvidia-dcgm-exporter":
Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden:
not usable by user or serviceaccount]'