linkerd2
linkerd2 copied to clipboard
linkerd
Unable to inject Linkerd proxy on OpenShift without configuring privileged SCC on the workload
What is the issue?
I'm unable to inject Linkerd proxy on OpenShift without configuring privileged SCC on the workload. The workloads can run with restricted or other SCCs should not require to be given privileged SCC after injecting with Linkerd.
How can it be reproduced?
Deploy Linkerd 2.14.1 on OpenShift 4.13/4.12, inject a workload with Linkerd by setting the annotations on the namespace. Restart the deployment. Replicaset will fail.
Logs, error output, etc
When I configure workload with SCC other than privileged, workload replica fails with error:
Error creating: pods "<redacted-podname>" is forbidden: unable to validate against any security context constraint: [pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/linkerd-proxy]: Forbidden: seccomp may not be set, provider "<redacted>": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .containers[0].runAsUser: Invalid value: 2102: must be in the ranges: [1001060000, 1001069999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "loki": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
output of linkerd check -o short
linkerd-ha-checks
-----------------
‼ pod injection disabled on kube-system
kube-system namespace needs to have the label config.linkerd.io/admission-webhooks: disabled if injector webhook failure policy is Fail
see https://linkerd.io/2.14/checks/#l5d-injection-disabled for hints
Status check results are √
Environment
K8s 1.26 OpenShift 4.13 Linkerd 2.14.1 (with Linkerd CNI) Host OS: Core OS
Possible solution
I removed the security context from the partials chart's _proxy.tpl. Seems the linkerd-network-validator container wants to run as root, therefore fails.
Additional context
No response
Would you like to work on fixing this bug?
Yes, willing to work with Linkerd team
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
