Openshift: unable to validate against any security > context constraint
Fixed this by using:
oc adm policy add-scc-to-user privileged -z default -n efk
Manual:
-z, --serviceaccount=[]: service account in the current namespace to use as a user
html_programmer
Java consultant. Passionate about web development in general and always experimenting with common software tech in my private time.
Updated on June 12, 2022Comments
-
html_programmer almost 2 years
I try to create the following statefulSet:
apiVersion: apps/v1 kind: StatefulSet metadata: name: es-cluster namespace: efk spec: serviceName: elasticsearch replicas: 3 selector: matchLabels: app: elasticsearch template: metadata: labels: app: elasticsearch spec: containers: - name: elasticsearch image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.2.0 resources: limits: cpu: 1000m requests: cpu: 100m ports: - containerPort: 9200 name: rest protocol: TCP - containerPort: 9300 name: inter-node protocol: TCP volumeMounts: - name: data mountPath: /usr/share/elasticsearch/data env: - name: cluster.name value: k8s-logs - name: node.name valueFrom: fieldRef: fieldPath: metadata.name - name: discovery.zen.ping.unicast.hosts value: "es-cluster-0.elasticsearch,es-cluster-1.elasticsearch,es-cluster-2.elasticsearch" - name: discovery.zen.minimum_master_nodes value: "2" - name: ES_JAVA_OPTS value: "-Xms256m -Xmx256m" initContainers: - name: fix-permissions image: busybox command: ["sh", "-c", "chown -R 1000:1000 /usr/share/elasticsearch/data"] securityContext: privileged: true volumeMounts: - name: data mountPath: /usr/share/elasticsearch/data - name: increase-vm-max-map image: busybox command: ["sysctl", "-w", "vm.max_map_count=262144"] securityContext: privileged: true - name: increase-fd-ulimit image: busybox command: ["sh", "-c", "ulimit -n 65536"] securityContext: privileged: true volumeClaimTemplates: - metadata: name: data spec: accessModes: [ "ReadWriteOnce" ] storageClassName: "pv0002" resources: requests: storage: 100Mi
Unfortunately I run in the following exception which I don't seem to be able to resolve:
create Pod es-cluster-0 in StatefulSet es-cluster failed error: pods "es-cluster-0" is forbidden: unable to validate against any security context constraint: [spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.initContainers[1].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.initContainers[2].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
I added:
oc adm policy add-scc-to-user privileged developer
Not sure what else I'm supposed to check, I expect it to work.
Note: I use CRC on Mac OSX locally. https://github.com/code-ready/crc
Edit, I went overboard and added all possible users that came to mind:
oc describe scc Name: privileged Priority: <none> Access: Users: system:admin,system:serviceaccount:openshift-infra:build-controller,developer,deployer,default,builder,statefulset-controller Groups: system:cluster-admins,system:nodes,system:masters Settings: Allow Privileged: true Allow Privilege Escalation: true Default Add Capabilities: <none> Required Drop Capabilities: <none> Allowed Capabilities: * Allowed Seccomp Profiles: * Allowed Volume Types: * Allowed Flexvolumes: <all> Allowed Unsafe Sysctls: * Forbidden Sysctls: <none> Allow Host Network: true Allow Host Ports: true Allow Host PID: true Allow Host IPC: true Read Only Root Filesystem: false Run As User Strategy: RunAsAny UID: <none> UID Range Min: <none> UID Range Max: <none> SELinux Context Strategy: RunAsAny User: <none> Role: <none> Type: <none> Level: <none> FSGroup Strategy: RunAsAny Ranges: <none> Supplemental Groups Strategy: RunAsAny Ranges: <none>
Same error wtf...