nginx-gateway-fabric
nginx-gateway-fabric copied to clipboard
nginxinc
NGF fails to deploy on Openshift
Describe the bug NGF fails to deploy on Openshift when using helm chart
output:
[cloud-user@ocp-provisioner nginx-gateway-fabric]$ helm install ngf oci://ghcr.io/nginxinc/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway
Pulled: ghcr.io/nginxinc/charts/nginx-gateway-fabric:1.1.0
Digest: sha256:2a3aa5e2b61334a135b909f389b190ed9514b2d77c529068eb3bef4e08d0f7ec
W0312 16:49:51.427508 14348 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx-gateway" must not include "KILL" in securityContext.capabilities.add), seccompProfile (pod or containers "nginx-gateway", "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Deployment is created with this condition:
status:
conditions:
- lastTransitionTime: "2024-03-12T20:49:51Z"
lastUpdateTime: "2024-03-12T20:49:51Z"
message: Created new replica set "ngf-nginx-gateway-fabric-777dc84497"
reason: NewReplicaSetCreated
status: "True"
type: Progressing
- lastTransitionTime: "2024-03-12T20:49:51Z"
lastUpdateTime: "2024-03-12T20:49:51Z"
message: Deployment does not have minimum availability.
reason: MinimumReplicasUnavailable
status: "False"
type: Available
- lastTransitionTime: "2024-03-12T20:49:51Z"
lastUpdateTime: "2024-03-12T20:49:51Z"
message: 'pods "ngf-nginx-gateway-fabric-777dc84497-" is forbidden: unable to
validate against any security context constraint: [provider "anyuid": Forbidden:
not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup:
Invalid value: []int64{1001}: 1001 is not an allowed group, spec.containers[0].securityContext.runAsUser:
Invalid value: 102: must be in the ranges: [1000700000, 1000709999], spec.containers[0].securityContext.capabilities.add:
Invalid value: "KILL": capability may not be added, spec.containers[1].securityContext.runAsUser:
Invalid value: 101: must be in the ranges: [1000700000, 1000709999], provider
"restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2":
Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden:
not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden:
not usable by user or serviceaccount, provider "machine-api-termination-handler":
Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2":
Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden:
not usable by user or serviceaccount, provider "hostaccess": Forbidden: not
usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable
by user or serviceaccount, provider "privileged": Forbidden: not usable by user
or serviceaccount]'
reason: FailedCreate
status: "True"
type: ReplicaFailure
observedGeneration: 1
unavailableReplicas: 1
To Reproduce
- Create Openshift cluster
- Install gateway api resources
- Run
helm install ngf oci://ghcr.io/nginxinc/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway
Expected behavior NGF deploys correctly.
Your environment
- Version of the NGINX Gateway Fabric - 1.1.0
- Version of Kubernetes - 1.25.10
- Kubernetes platform (e.g. Mini-kube or GCP) - Openshift v4.12.20
Ah of course, OpenShift. We'll need to create a SecurityContextConstraint that has the proper permissions to deploy NGF.
Would be great to have this documented and why we need these extra capabilities, especially the KILL.
We'll also probably require a field in our helm chart to say whether we are on kubernetes or openshift to determine whether or not to create the SCC when installing.
An update to our installation docs will be required to explain this, and we should also add a reference doc to describe the permissions we use and why we use them.