1.7.3 operator appears to generate unexpected, non-functional statefulset on openshift 4.8 #29
Description
Is this a bug report or feature request?
- Bug Report
Deviation from expected behavior:
Set up SCC, PSP and RBAC very closely following examples in this repo and the quickstart - https://rook.io/docs/nfs/v1.7/quickstart.html
NFS service did not come up and the statefulset the operator produced contained a securitycontext for "priviliged: true" which seems to trigger this message:
28m Warning FailedCreate statefulset/rook-nfs create Pod rook-nfs-0 in StatefulSet rook-nfs failed error: pods "rook-nfs-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.capabilities.add: Invalid value: "DAC_READ_SEARCH": capability may not be added, spec.containers[0].securityContext.capabilities.add: Invalid value: "SYS_ADMIN": capability may not be added, spec.containers[1].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "noobaa": Forbidden: not usable by user or serviceaccount, provider "noobaa-endpoint": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "rook-ceph": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "rook-ceph-csi": Forbidden: not usable by user or serviceaccount]
Expected behavior:
NFS service comes up
How to reproduce it (minimal and precise):
You can probably reproduce with a throw-away openshift 4.8 cluster at https://developers.redhat.com/developer-sandbox
To work around / resolve, I altered the statefulset resource, removing the "priviliged: true" entry and then openshift applied the SCC/PSP/RBAC policies as intended.