Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Openshift: unable to validate against any security > context constraint

Tags:

kubernetes

openshift

I try to create the following statefulSet: 

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: es-cluster
  namespace: efk
spec:
  serviceName: elasticsearch
  replicas: 3
  selector:
    matchLabels:
      app: elasticsearch
  template:
    metadata:
      labels:
        app: elasticsearch
    spec:
      containers:
      - name: elasticsearch
        image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.2.0
        resources:
          limits:
            cpu: 1000m
          requests:
            cpu: 100m
        ports:
        - containerPort: 9200
          name: rest
          protocol: TCP
        - containerPort: 9300
          name: inter-node
          protocol: TCP
        volumeMounts:
        - name: data
          mountPath: /usr/share/elasticsearch/data
        env:
        - name: cluster.name
          value: k8s-logs
        - name: node.name
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: discovery.zen.ping.unicast.hosts
          value: "es-cluster-0.elasticsearch,es-cluster-1.elasticsearch,es-cluster-2.elasticsearch"
        - name: discovery.zen.minimum_master_nodes
          value: "2"
        - name: ES_JAVA_OPTS
          value: "-Xms256m -Xmx256m"
      initContainers:
      - name: fix-permissions
        image: busybox
        command: ["sh", "-c", "chown -R 1000:1000 /usr/share/elasticsearch/data"]
        securityContext:
          privileged: true
        volumeMounts:
        - name: data
          mountPath: /usr/share/elasticsearch/data
      - name: increase-vm-max-map
        image: busybox
        command: ["sysctl", "-w", "vm.max_map_count=262144"]
        securityContext:
          privileged: true
      - name: increase-fd-ulimit
        image: busybox
        command: ["sh", "-c", "ulimit -n 65536"]
        securityContext:
          privileged: true
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: "pv0002"
      resources:
        requests:
          storage: 100Mi

Unfortunately I run in the following exception which I don't seem to be able to resolve:

create Pod es-cluster-0 in StatefulSet es-cluster failed error: pods "es-cluster-0" is forbidden: unable to validate against any security context constraint: [spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.initContainers[1].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.initContainers[2].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]

I added: 

oc adm policy add-scc-to-user privileged developer

Not sure what else I'm supposed to check, I expect it to work.

Note: I use CRC on Mac OSX locally. https://github.com/code-ready/crc

Edit, I went overboard and added all possible users that came to mind: 

oc describe scc 

Name:                                           privileged
Priority:                                       <none>
Access:                                         
  Users:                                        system:admin,system:serviceaccount:openshift-infra:build-controller,developer,deployer,default,builder,statefulset-controller
  Groups:                                       system:cluster-admins,system:nodes,system:masters
Settings:                                       
  Allow Privileged:                             true
  Allow Privilege Escalation:                   true
  Default Add Capabilities:                     <none>
  Required Drop Capabilities:                   <none>
  Allowed Capabilities:                         *
  Allowed Seccomp Profiles:                     *
  Allowed Volume Types:                         *
  Allowed Flexvolumes:                          <all>
  Allowed Unsafe Sysctls:                       *
  Forbidden Sysctls:                            <none>
  Allow Host Network:                           true
  Allow Host Ports:                             true
  Allow Host PID:                               true
  Allow Host IPC:                               true
  Read Only Root Filesystem:                    false
  Run As User Strategy: RunAsAny                
    UID:                                        <none>
    UID Range Min:                              <none>
    UID Range Max:                              <none>
  SELinux Context Strategy: RunAsAny            
    User:                                       <none>
    Role:                                       <none>
    Type:                                       <none>
    Level:                                      <none>
  FSGroup Strategy: RunAsAny                    
    Ranges:                                     <none>
  Supplemental Groups Strategy: RunAsAny        
    Ranges:                                     <none>

Same error wtf...

like image 714
html_programmer Avatar asked Apr 15 '20 22:04

html_programmer

People also ask

What is OpenShift security context?

OpenShift provides security context constraints (SCC) that control the actions that a pod can perform and what it has the ability to access.

What is security context constraints?

Security context constraints can help you control what actions and access the pods in your container have, such as the usage of privileged containers, root namespaces, host networking and ports, volume types, host file systems, Linux permissions such as read-only or group IDs, and more.

How does SCC work in OpenShift?

A container or pod that requests a specific user ID will be accepted by OpenShift Container Platform only when a service account or a user is granted access to a SCC that allows such a user ID. The SCC can allow arbitrary IDs, an ID that falls into a range, or the exact user ID specific to the request.

What is Anyuid in OpenShift?

anyuid. anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID. In platforms such as kubernetes and OpenShift this will be the equivalent as allowing UID 0, or root user, both inside and outside the container.

1 Answers

Fixed this by using: 

oc adm policy add-scc-to-user privileged -z default -n efk

Manual:

-z, --serviceaccount=[]: service account in the current namespace to use as a user

like image 171
html_programmer Avatar answered Sep 22 '22 11:09

html_programmer
Sign in to Comment

Related questions

helm upgrade error "Error: This command needs 2 arguments: release name, chart path"
Is there a way in Kubernetes to check when hpa happened?
unable to recognize "filebeat-kubernetes.yaml": no matches for kind "DaemonSet" in version "extensions/v1beta1"
GO - Docker ask certificate on K8S container
How can I pass environment variables to mongo docker-entrypoint-initdb.d?
How can one pipe stdin into a container in a pod in Kuberentes?
Is it possible to deploy a docker hub publicly hosted image to Kubernetes Container Engine without uploading it to Containers Registery?
Kubernetes share volume between containers inside a Deployment
Can't access Google Cloud Datastore from Google Kubernetes Engine cluster
How to setMasterUrl in Ignite XML config for Kubernetes IPFinder
Kubernetes: configmaps is forbidden: User "kube" cannot list configmaps in the namespace "default"
Horizontal pod autoscaling in Kubernetes
Why using Eureka?
Is kubeadm production ready now?
Shell (ssh) into Azure AKS (Kubernetes) cluster worker node
How do I get individual pod hostnames in a Deployment registered and looked up in Kubernetes?
Amazon EKS: generate/update kubeconfig via python script
Using a connector with Helm-installed Kafka/Confluent
Kubectl pod vs pods
Ufw firewall blocks kubernetes (with calico)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!