nfs icon indicating copy to clipboard operation
nfs copied to clipboard

Published 20 hours ago verified publisher icon rook

1.7.3 operator appears to generate unexpected, non-functional statefulset on openshift 4.8

Open jpsalvesen opened this issue 3 years ago • 2 comments

Is this a bug report or feature request?

  • Bug Report

Deviation from expected behavior: Set up SCC, PSP and RBAC very closely following examples in this repo and the quickstart - https://rook.io/docs/nfs/v1.7/quickstart.html

NFS service did not come up and the statefulset the operator produced contained a securitycontext for "priviliged: true" which seems to trigger this message:

28m Warning FailedCreate statefulset/rook-nfs create Pod rook-nfs-0 in StatefulSet rook-nfs failed error: pods "rook-nfs-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.capabilities.add: Invalid value: "DAC_READ_SEARCH": capability may not be added, spec.containers[0].securityContext.capabilities.add: Invalid value: "SYS_ADMIN": capability may not be added, spec.containers[1].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "noobaa": Forbidden: not usable by user or serviceaccount, provider "noobaa-endpoint": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "rook-ceph": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "rook-ceph-csi": Forbidden: not usable by user or serviceaccount]

Expected behavior: NFS service comes up

How to reproduce it (minimal and precise): You can probably reproduce with a throw-away openshift 4.8 cluster at https://developers.redhat.com/developer-sandbox

To work around / resolve, I altered the statefulset resource, removing the "priviliged: true" entry and then openshift applied the SCC/PSP/RBAC policies as intended.

jpsalvesen avatar Sep 30 '21 13:09 jpsalvesen

https://github.com/rook/nfs/blob/3df639c8d166c569039ac7585832ffe62b418529/pkg/operator/nfs/spec.go#L133 - this may or may not be a good place to start looking

jpsalvesen avatar Sep 30 '21 13:09 jpsalvesen

Hello, is the issue resolved? If yes can you please let me know what was done to resolve?

kerukulla avatar Jul 18 '22 12:07 kerukulla