-
Notifications
You must be signed in to change notification settings - Fork 469
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pods cannot be created on current (OpenShift 4.13, Kubernetes 1.26.5) environments #491
Comments
(Not a maintainer, only user) I suppose you've installed reloader via the helm chart. Looking at the README.md there is a documented parameter My setup works nicely on OKD 4.13 with reloader:
reloadStrategy: annotations
readOnlyRootFileSystem: true
deployment:
resources:
requests:
cpu: "10m"
memory: "128Mi"
limits:
memory: "512Mi" and the Openshift/OKD specific: isOpenshift: true
reloader:
serviceMonitor:
enabled: true
deployment:
securityContext: false |
hi @gmodzelewski , we ourselves have been using reloader on OCP 4.9 - 4.12 with |
I just set one variable: That does not work on my OpenShift 4.13. Don't know if that's a bug or it should be documented somewhere. |
Seems like a documentation issue, I will try to update that as soon as possible. You are also welcome to open a PR with suggested changes in documentation. |
Strange. If I do a If I set securityContext to false in the values(OpenShift helm yaml view) it works. Probably some issue with the setting? Strange. BTW: Wouldn't it be nicer to have an enabled flag in the securityContext, something like |
@gmodzelewski In this case the reloader team has decided to set the following default values for deployment.securityContext: reloader:
deployment:
securityContext:
runAsNonRoot: true
runAsUser: 65534 These values are then used in
Outside of Openshift/OKD context, theses are reasonable default values. As you know however, Openshift/OKD has it's own model of handling runAsUser to make sure there are no conflicting users and thereby increasing security, but that requires the specified user to be in a uid range which are dynamically assigned to the namespace. By not specifying When there is default values defined in values.yaml, making them disappear in helm is messy, even though it's been getting easier in later versions. When defining the values from another values.yaml file (I tend to wrap an external helm charts in internal helm charts), one trick is to set maps to a value that makes no sense and the one that seems to work the best is boolean false. However, when running with "set" commands you are allowed to specify null and setting securityContext to null seems to work best. (I did test with
You can even null out only runAsUser. That way you will keep
Personally, I'd get rid of the default values of securityContext in the upstream chart, but I'm also aware of the security implications and will set the required values manually (and Openshift/OKD saves me some hassle). I however totally get that the reloader team want reasonably secure default settings for the larger public. But perhaps your suggestion |
Hey. That worked. I can install reloader in a one-liner on OpenShift 4.13 without any errors via: So, I suppose that should be documented somewhere. Will check tomorrow and create a PR (if not yet created by someone else). |
#491 Readme: Add OpenShift 4.13 runAsUser unset part
Closed by #499 |
Issue:
Not starting on a current OpenShift due to default security policies:
Used Environment:
OpenShift Server Version: 4.13.4
Kubernetes Version: v1.26.5+7d22122
Error message (added whitespaces for better readability):
FailedCreate replicaset/reloader-1688730517-reloader-c795c7bd5 Error creating: pods "reloader-1688730517-reloader-c795c7bd5-" is forbidden: unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider "pipelines-scc": Forbidden: not usable by user or serviceaccount,
spec.containers[0].securityContext.runAsUser: Invalid value: 65534: must be in the ranges: [1000750000, 1000759999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "container-build": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "node-exporter": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]
Remediation ideas
I suppose this can probably be solved via default security constraints or documentation on how to add this.
The text was updated successfully, but these errors were encountered: