Open
Description
Describe the bug: A clear and concise description of what the bug is.
Good day,
I am facing this issue in OpenShift Kubernetes cluster.
Deployment deployment.apps/nfs-pvc-XXXXXXXXXXXXXXXXXXXX which is spawned after RWX PVC is created cannot run because of this error:
message: 'pods "nfs-pvc-6011f1fc-49e6-4c0b-a6a7-b2d2f6208e81-5fc49cd65c-" is forbidden:
unable to validate against any security context constraint: [provider "anyuid":
Forbidden: not usable by user or serviceaccount, provider restricted-v2: .containers[0].privileged:
Invalid value: true: Privileged containers are not allowed, provider "restricted":
Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden:
not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable
by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable
by user or serviceaccount, provider "machine-api-termination-handler": Forbidden:
not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden:
not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not
usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable
by user or serviceaccount, provider "node-exporter": Forbidden: not usable by
user or serviceaccount, provider "privileged": Forbidden: not usable by user
or serviceaccount]'
Expected behaviour: A concise description of what you expected to happen
Deployment will run even on OpenShift Kubernetes cluster
Steps to reproduce the bug:
Steps to reproduce the bug should be clear and easily reproducible to help people gain an understanding of the problem
OpenShift does require service account to be added into privileged scc to be able do some privileged operations. So, I installed OpenEBS with default helm chart way and also had to run these commands.
oc adm policy add-scc-to-user privileged system:serviceaccount:openebs:openebs-cstor-csi-node-sa
oc adm policy add-scc-to-user privileged system:serviceaccount:openebs:openebs-cstor-operator
oc adm policy add-scc-to-user privileged system:serviceaccount:openebs:openebs
oc adm policy add-scc-to-user privileged system:serviceaccount:openebs:openebs-nfs-provisioner
All is running and working fine for RWO volumes.
When I create RWX PVC request, deployment for PVC is spawned with name deployment.apps/nfs-pvc-XXXXXXXXXXXXXXXXXXXX. This deployment does fail, because it is not running under any service account.
I am able to overcome this issue by editing this deployment and adding there:
serviceAccount: openebs-nfs-provisioner
serviceAccountName: openebs-nfs-provisioner
Those entries are from pod/openebs-nfs-provisioner-6f579d65cd-cnvgl. But are not present in mentioned deployment.
I understand that this is OpenShift specific issue, still would be fine to have all this working also there.
So my question is - is there currently some way how to tell OpenEBS to spawn deployment.apps/nfs-pvc-XXXXXXXXXXXXXXXXXXXX with service account ? Maybe I missed some helm chart option or so.
If not, is it possible to add it, please?
Thank you very much
Environment details:
- OpenEBS version (use
kubectl get po -n openebs --show-labels):
[admin@bastion ~]$ kubectl get po -n openebs --show-labels
NAME READY STATUS RESTARTS AGE LABELS
cstor-disk-pool-2lft-684f98cb49-wssdv 3/3 Running 0 82m app=cstor-pool,openebs.io/cstor-pool-cluster=cstor-disk-pool,openebs.io/cstor-pool-instance=cstor-disk-pool-2lft,openebs.io/version=3.5.0,pod-template-hash=684f98cb49
cstor-disk-pool-hq7c-8bf949bf4-ks2xz 3/3 Running 0 82m app=cstor-pool,openebs.io/cstor-pool-cluster=cstor-disk-pool,openebs.io/cstor-pool-instance=cstor-disk-pool-hq7c,openebs.io/version=3.5.0,pod-template-hash=8bf949bf4
cstor-disk-pool-x96d-68bbc79885-gjwr7 3/3 Running 0 82m app=cstor-pool,openebs.io/cstor-pool-cluster=cstor-disk-pool,openebs.io/cstor-pool-instance=cstor-disk-pool-x96d,openebs.io/version=3.5.0,pod-template-hash=68bbc79885
nfs-pvc-6011f1fc-49e6-4c0b-a6a7-b2d2f6208e81-68478f6f69-9zlg2 1/1 Running 0 78m nfs.openebs.io/nfs-pvc-name=pvc4registry,nfs.openebs.io/nfs-pvc-namespace=openshift-image-registry,nfs.openebs.io/nfs-pvc-uid=6011f1fc-49e6-4c0b-a6a7-b2d2f6208e81,openebs.io/nfs-server=nfs-pvc-6011f1fc-49e6-4c0b-a6a7-b2d2f6208e81,pod-template-hash=68478f6f69
openebs-cstor-admission-server-754d45d94d-5sbx9 1/1 Running 0 82m app=cstor-admission-webhook,chart=cstor-3.5.0,component=cstor-admission-webhook,heritage=Helm,openebs.io/component-name=cstor-admission-webhook,openebs.io/version=3.5.0,pod-template-hash=754d45d94d,release=openebs
openebs-cstor-csi-controller-0 6/6 Running 3 (63m ago) 82m chart=cstor-3.5.0,component=openebs-cstor-csi-controller,controller-revision-hash=openebs-cstor-csi-controller-8b4c6f67d,heritage=Helm,name=openebs-cstor-csi-controller,openebs.io/component-name=openebs-cstor-csi-controller,openebs.io/version=3.5.0,release=openebs,statefulset.kubernetes.io/pod-name=openebs-cstor-csi-controller-0
openebs-cstor-csi-node-7lvx7 2/2 Running 0 82m chart=cstor-3.5.0,component=openebs-cstor-csi-node,controller-revision-hash=6ccb964f7d,heritage=Helm,name=openebs-cstor-csi-node,openebs.io/component-name=openebs-cstor-csi-node,openebs.io/version=3.5.0,pod-template-generation=1,release=openebs
openebs-cstor-csi-node-8tgzr 2/2 Running 0 82m chart=cstor-3.5.0,component=openebs-cstor-csi-node,controller-revision-hash=6ccb964f7d,heritage=Helm,name=openebs-cstor-csi-node,openebs.io/component-name=openebs-cstor-csi-node,openebs.io/version=3.5.0,pod-template-generation=1,release=openebs
openebs-cstor-csi-node-lmp2f 2/2 Running 0 82m chart=cstor-3.5.0,component=openebs-cstor-csi-node,controller-revision-hash=6ccb964f7d,heritage=Helm,name=openebs-cstor-csi-node,openebs.io/component-name=openebs-cstor-csi-node,openebs.io/version=3.5.0,pod-template-generation=1,release=openebs
openebs-cstor-csi-node-nfptz 2/2 Running 0 82m chart=cstor-3.5.0,component=openebs-cstor-csi-node,controller-revision-hash=6ccb964f7d,heritage=Helm,name=openebs-cstor-csi-node,openebs.io/component-name=openebs-cstor-csi-node,openebs.io/version=3.5.0,pod-template-generation=1,release=openebs
openebs-cstor-csi-node-rrgh7 2/2 Running 0 82m chart=cstor-3.5.0,component=openebs-cstor-csi-node,controller-revision-hash=6ccb964f7d,heritage=Helm,name=openebs-cstor-csi-node,openebs.io/component-name=openebs-cstor-csi-node,openebs.io/version=3.5.0,pod-template-generation=1,release=openebs
openebs-cstor-csi-node-rvn5f 2/2 Running 0 82m chart=cstor-3.5.0,component=openebs-cstor-csi-node,controller-revision-hash=6ccb964f7d,heritage=Helm,name=openebs-cstor-csi-node,openebs.io/component-name=openebs-cstor-csi-node,openebs.io/version=3.5.0,pod-template-generation=1,release=openebs
openebs-cstor-csi-node-sk559 2/2 Running 0 82m chart=cstor-3.5.0,component=openebs-cstor-csi-node,controller-revision-hash=6ccb964f7d,heritage=Helm,name=openebs-cstor-csi-node,openebs.io/component-name=openebs-cstor-csi-node,openebs.io/version=3.5.0,pod-template-generation=1,release=openebs
openebs-cstor-csi-node-xzbx4 2/2 Running 0 82m chart=cstor-3.5.0,component=openebs-cstor-csi-node,controller-revision-hash=6ccb964f7d,heritage=Helm,name=openebs-cstor-csi-node,openebs.io/component-name=openebs-cstor-csi-node,openebs.io/version=3.5.0,pod-template-generation=1,release=openebs
openebs-cstor-cspc-operator-5d56bb87f4-hw9fp 1/1 Running 0 82m chart=cstor-3.5.0,component=cspc-operator,heritage=Helm,name=cspc-operator,openebs.io/component-name=cspc-operator,openebs.io/version=3.5.0,pod-template-hash=5d56bb87f4,release=openebs
openebs-cstor-cvc-operator-5dbbcc978c-2ssp4 1/1 Running 0 82m chart=cstor-3.5.0,component=cvc-operator,heritage=Helm,name=cvc-operator,openebs.io/component-name=cvc-operator,openebs.io/version=3.5.0,pod-template-hash=5dbbcc978c,release=openebs
openebs-ndm-298mx 1/1 Running 0 82m app=openebs,component=ndm,controller-revision-hash=b74b66f7d,name=openebs-ndm,openebs.io/component-name=ndm,openebs.io/version=3.9.0,pod-template-generation=1,release=openebs
openebs-ndm-4wl7k 1/1 Running 0 82m app=openebs,component=ndm,controller-revision-hash=b74b66f7d,name=openebs-ndm,openebs.io/component-name=ndm,openebs.io/version=3.9.0,pod-template-generation=1,release=openebs
openebs-ndm-lk4dj 1/1 Running 0 82m app=openebs,component=ndm,controller-revision-hash=b74b66f7d,name=openebs-ndm,openebs.io/component-name=ndm,openebs.io/version=3.9.0,pod-template-generation=1,release=openebs
openebs-ndm-operator-79d7f69c95-p9z5v 1/1 Running 0 82m app=openebs,component=ndm-operator,name=ndm-operator,openebs.io/component-name=ndm-operator,openebs.io/version=3.9.0,pod-template-hash=79d7f69c95,release=openebs
openebs-nfs-provisioner-6f579d65cd-9wq2l 1/1 Running 3 (63m ago) 78m app=nfs-provisioner,chart=nfs-provisioner-0.10.0,component=nfs-provisioner,heritage=Helm,name=openebs-nfs-provisioner,openebs.io/component-name=openebs-nfs-provisioner,openebs.io/version=0.10.0,pod-template-hash=6f579d65cd,release=openebs
pvc-2723cbd5-5817-4580-ab9f-988bb6466be6-target-57f8d48955c67mf 3/3 Running 0 78m app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=nfs-pvc-6011f1fc-49e6-4c0b-a6a7-b2d2f6208e81,openebs.io/persistent-volume=pvc-2723cbd5-5817-4580-ab9f-988bb6466be6,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=57f8d48955
pvc-2b479f7a-36d0-4925-aceb-197e28696966-target-68dfb4d5f7km7sp 3/3 Running 0 55m app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=prometheus-user-workload-db-prometheus-user-workload-0,openebs.io/persistent-volume=pvc-2b479f7a-36d0-4925-aceb-197e28696966,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=68dfb4d5f7
pvc-3185c17b-953a-4276-9376-8cfc63ba5645-target-54bf95b4d8ththj 3/3 Running 0 71m app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=elasticsearch-elasticsearch-cdm-kluat893-3,openebs.io/persistent-volume=pvc-3185c17b-953a-4276-9376-8cfc63ba5645,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=54bf95b4d8
pvc-4729e96f-ad29-4ea9-91b7-c59b62a1f7c3-target-57ffdc755976n8w 3/3 Running 0 56m app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=thanos-ruler-user-workload-data-thanos-ruler-user-workload-1,openebs.io/persistent-volume=pvc-4729e96f-ad29-4ea9-91b7-c59b62a1f7c3,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=57ffdc7559
pvc-6c6112a2-a80a-4c2a-a31f-536879e88e98-target-c49f765fb-sdpmb 3/3 Running 0 55m app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=prometheus-k8s-db-prometheus-k8s-1,openebs.io/persistent-volume=pvc-6c6112a2-a80a-4c2a-a31f-536879e88e98,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=c49f765fb
pvc-846a3630-175e-4a3d-898a-a6f8c65a8df3-target-f7fbc949-cswzf 3/3 Running 0 71m app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=elasticsearch-elasticsearch-cdm-kluat893-2,openebs.io/persistent-volume=pvc-846a3630-175e-4a3d-898a-a6f8c65a8df3,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=f7fbc949
pvc-87d3e0ad-9423-4400-877e-80f555b0e4e0-target-86cc6497f52jrw5 3/3 Running 0 71m app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=elasticsearch-elasticsearch-cdm-kluat893-1,openebs.io/persistent-volume=pvc-87d3e0ad-9423-4400-877e-80f555b0e4e0,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=86cc6497f5
pvc-95ddb76a-6c29-449e-a907-486e006bb041-target-86bd8967bd9mb9g 3/3 Running 0 56m app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=thanos-ruler-user-workload-data-thanos-ruler-user-workload-0,openebs.io/persistent-volume=pvc-95ddb76a-6c29-449e-a907-486e006bb041,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=86bd8967bd
pvc-9853daf6-4a8b-4b47-a5aa-e06459a95df2-target-866c7b5fcbdbrms 3/3 Running 0 55m app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=prometheus-k8s-db-prometheus-k8s-0,openebs.io/persistent-volume=pvc-9853daf6-4a8b-4b47-a5aa-e06459a95df2,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=866c7b5fcb
pvc-cfaf271c-fc86-4172-9649-123d749eb6b1-target-79c7b8c8459l54q 3/3 Running 0 55m app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=prometheus-user-workload-db-prometheus-user-workload-1,openebs.io/persistent-volume=pvc-cfaf271c-fc86-4172-9649-123d749eb6b1,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=79c7b8c845
[admin@bastion ~]$
- Kubernetes version (use
kubectl version):
[admin@bastion ~]$ oc version
Client Version: 4.13.22
Kustomize Version: v4.5.7
Server Version: 4.13.22
Kubernetes Version: v1.26.9+636f2be
- Cloud provider or hardware configuration:
Baremetal based OpenShift 4.13.22 cluster
- OS (e.g:
cat /etc/os-release):
Red Hat Enterprise Linux CoreOS 413.92.202311061658-0 (Plow)
- kernel (e.g:
uname -a):
Linux infra02.dev1.ocp4.baremetal.xyz 5.14.0-284.40.1.el9_2.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Nov 1 10:30:09 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux
- others:
Metadata
Metadata
Assignees
Labels
No labels