opentelemetry-demo
opentelemetry-demo copied to clipboard
Published
20 hours ago •
open-telemetry
open-telemetry
Opensearch won't start on OpenShift
Bug Report
Which version of the demo you are using? opentelemetry-helm-charts b969a4f
Symptom
A clear and concise description of what the bug is.
What is the expected behavior? Following the install instruction from https://github.com/open-telemetry/opentelemetry-helm-charts/tree/main/charts/opentelemetry-demo#readme. Opensearch pod should start up successfully.
What is the actual behavior? Opensearch statefulSet won't start any pod.
create Pod otel-demo-opensearch-0 in StatefulSet otel-demo-opensearch failed error: pods "otel-demo-opensearch-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1000700000, 1000709999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
It looks like Opensearch is not running with service account opentelemetry-demo.
Reproduce
1. helm repo add open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts
2. oc new-project opentelemetry-demo
3. oc create sa opentelemetry-demo
4. oc adm policy add-scc-to-user anyuid -z opentelemetry-demo
5. helm install otel-demo open-telemetry/opentelemetry-demo \
--namespace opentelemetry-demo \
--set serviceAccount.create=false \
--set serviceAccount.name=opentelemetry-demo \
--set prometheus.rbac.create=false \
--set prometheus.serviceAccounts.server.create=false \
--set prometheus.serviceAccounts.server.name=opentelemetry-demo \
--set grafana.rbac.create=false \
--set grafana.serviceAccount.create=false \
--set grafana.serviceAccount.name=opentelemetry-demo
Manually adding the following to the statefulSet yaml resolved the problem.
spec:
restartPolicy: Always
serviceAccountName: opentelemetry-demo
We will close this issue if:
- The steps you provided are complex.
- If we can not reproduce the behavior you're reporting.
Additional Context
Environment: OpenShift version 4.15.3 with 3 master nodes and 3 worker nodes
