KubeflowDojo No ready pod for deployment `grafana` in ns `istio-system` when using kfctl_openshift_tekton

No ready pod for deployment `grafana` in ns `istio-system` when using kfctl_openshift_tekton_kfserving.v1.10.yaml

Open shawnzhu opened this issue 4 years ago • 2 comments

After deploying kfctl_openshift_tekton_kfserving.v1.10.yaml successfully, I found no pod for deployment grafana.

When running oc get deploy -n istio-system -o yaml grafana, it will show messages like:

   message: 'pods "grafana-68bcfd88b6-" is forbidden: unable to validate against
      any security context constraint: [fsGroup: Invalid value: []int64{472}: 472
      is not an allowed group spec.containers[0].securityContext.securityContext.runAsUser:
      Invalid value: 472: must be in the ranges: [1000930000, 1000939999]]'
    reason: FailedCreate

I noticed that it doesn't specify any service account nor SCC for it. so guess it needs to add it to allow fsGroup id 472

Oct 08 '20 14:10 shawnzhu

Thanks @shawnzhu, what openshift environment did you test this on. We were testing it with Fyre Ember OCP 4.3 for this deployment.

Oct 08 '20 16:10 Tomcli

my environment is an OpenShift from IBM Cloud:

$ oc version
Client Version: 4.3.23-202005230952-4fb2d4d
Server Version: 4.3.35
Kubernetes Version: v1.16.2+7279a4a

Oct 08 '20 17:10 shawnzhu

KubeflowDojo KubeflowDojo copied to clipboard

No ready pod for deployment `grafana` in ns `istio-system` when using kfctl_openshift_tekton_kfserving.v1.10.yaml

KubeflowDojo
KubeflowDojo copied to clipboard