Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1.7.3 operator appears to generate unexpected, non-functional statefulset on openshift 4.8 #29

Open
jpsalvesen opened this issue Sep 30, 2021 · 2 comments
Open

1.7.3 operator appears to generate unexpected, non-functional statefulset on openshift 4.8 #29

jpsalvesen opened this issue Sep 30, 2021 · 2 comments
Labels
bug Something isn't working

Comments

@jpsalvesen
Copy link

Is this a bug report or feature request?

  • Bug Report

Deviation from expected behavior:
Set up SCC, PSP and RBAC very closely following examples in this repo and the quickstart - https://rook.io/docs/nfs/v1.7/quickstart.html

NFS service did not come up and the statefulset the operator produced contained a securitycontext for "priviliged: true" which seems to trigger this message:

28m Warning FailedCreate statefulset/rook-nfs create Pod rook-nfs-0 in StatefulSet rook-nfs failed error: pods "rook-nfs-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.capabilities.add: Invalid value: "DAC_READ_SEARCH": capability may not be added, spec.containers[0].securityContext.capabilities.add: Invalid value: "SYS_ADMIN": capability may not be added, spec.containers[1].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "noobaa": Forbidden: not usable by user or serviceaccount, provider "noobaa-endpoint": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "rook-ceph": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "rook-ceph-csi": Forbidden: not usable by user or serviceaccount]

Expected behavior:
NFS service comes up

How to reproduce it (minimal and precise):
You can probably reproduce with a throw-away openshift 4.8 cluster at https://developers.redhat.com/developer-sandbox

To work around / resolve, I altered the statefulset resource, removing the "priviliged: true" entry and then openshift applied the SCC/PSP/RBAC policies as intended.
@jpsalvesen jpsalvesen added the bug Something isn't working label Sep 30, 2021
@jpsalvesen
Copy link
Author

nfs/pkg/operator/nfs/spec.go

Line 133 in 3df639c

Privileged: &privileged,
- this may or may not be a good place to start looking

@kerukulla
Copy link

Hello, is the issue resolved? If yes can you please let me know what was done to resolve?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jpsalvesen @kerukulla