helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard

Published 20 hours ago verified publisher icon RasaHQ

Deployment no longer works with OpenShift

Open psav opened this issue 2 years ago • 3 comments

Have been testing against Openshift 4.11 and the pods won't spin up citing

create Pod test-postgresql-0 in StatefulSet test-postgresql failed error: pods "test-postgresql-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid value: 1001: must be in the ranges: [1001300000, 1001309999], provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "pcap-dedicated-admins": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "splunkforwarder": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

I had tried a values file looking like the following

applicationSettings:
  initialModel: "https://github.com/RasaHQ/rasa-x-demo/blob/master/models/model.tar.gz?raw=true"
postgresql:
  volumePermissions:
    securityContext:
      runAsUser: "auto"
  securityContext:
    enabled: false
  shmVolume:
    chmod:
      enabled: false
nginx:
  image:
    name: nginxinc/nginx-unprivileged
    port: 8080

Deleted my namespace and re-ran the installation - but the same error persists. Looking in the stateful set, it does appear as though uid 1001 is used for the user, which is not allowed in OpenShift.

psav avatar Sep 20 '22 09:09 psav

Specific for postgres i have:

  postgresql:
    containerSecurityContext:
      enabled: false
    securityContext:
      enabled: false

And there is also the global setting securityContext -> securityContext: false you can set. See: https://github.com/RasaHQ/rasa-x-helm/blob/main/charts/rasa-x/values.yaml#L882

BlueCog avatar Sep 20 '22 13:09 BlueCog

Running into the same issue. I tried the same thing as @psav (my values file looked the same) and got the same error. I also used this values file from rasa https://github.com/RasaHQ/helm-charts/blob/main/charts/rasa/values.yaml and changed those nginx and postgresql values. Once I did that, the error says connection refused and failed to connect upstream. Just following the rasa documentation alone, it doesn’t even start up the Postgresql. Creating an anyuid SCC to account for the permission issue since openshift doesn’t allow for user value 1001 got a postgresql pod to run but it ultimately failed. It doesn’t seem like the values file doesn’t actually change anything when looking at the yml files in openshift clusters.

kaitlynabdo avatar Nov 09 '22 20:11 kaitlynabdo

I was with @kaitlynabdo when we were doing the testing mentioned -- the PostgreSQL pod failed with an inability to write to the (default?) data folder. I think the PostgreSQL part of the chart for running on top of OCP is a bit borked.

thoraxe avatar Nov 10 '22 19:11 thoraxe