英文:
Not able to create pod in openshift (The runAsGroup does not match the field value from the annotation in the namespace)
问题
您正在尝试使用deploymentConfig部署一些应用程序。以下是用于PostgreSQL的YAML文件的简化版本。
apiVersion: template.openshift.io/v1
kind: Template
labels:
template: postgres
message: |-
用于测试在Openshift上部署PostgreSQL。
metadata:
annotations:
description: 在Openshift上部署PostgreSQL。
openshift.io/display-name: PostgreSQL
openshift.io/long-description: PostgreSQL
openshift.io/provider-display-name: xxxx
tags: 数据库
template.openshift.io/bindable: "false"
name: PostgreSQL
objects:
# 其他对象的部分未翻译
# ...
parameters:
- description: 应用程序名称
displayName: 应用程序名称
name: APPLICATION_NAME
value: postgres
- description: PostgreSQL主机
displayName: PostgreSQL主机名
name: POSTGRESQL_HOST
value: postgresql
required: true
- description: PostgreSQL连接用户名
displayName: PostgreSQL连接用户名
from: 'user[a-z0-9]{5}'
generate: expression
name: POSTGRESQL_USER
required: true
- description: PostgreSQL连接密码
displayName: PostgreSQL连接密码
from: '[a-zA-Z0-9]{16}'
generate: expression
name: POSTGRESQL_PASSWORD
required: true
- description: PostgreSQL数据库名称
displayName: PostgreSQL连接数据库
from: 'airflow[a-z0-9]{5}'
generate: expression
name: POSTGRESQL_DATABASE
required: true
- description: 用于存储PostgreSQL数据库中元数据的PERSISTENT卷声明名称
displayName: PERSISTENT卷声明名称(数据库)
name: PERSISTENT_VOLUME_CLAIM_DB
value: storage-db-pvc
- description: 元数据卷存储大小
displayName: 元数据卷存储大小
name: PERSISTENT_VOLUME_CLAIM_DB_SIZE
value: "1Gi"
当我执行此模板时,我收到以下错误消息:
停止重试:无法为“zzzzzzzzzz/postgresql-7”创建部署器Pod:验证webhook“validate.kyverno.something-ignore”拒绝了请求:策略Pod/namespace_name/postgresql-7-deploy违反了资源:add-securitycontext:update-runasgroup:runAsGroup与命名空间中注释的字段值不匹配。ensure-readonly-lustre:ensure-readonly-lustre:未满足前提条件。
我已经重新检查了runAsUser和runAsGroup,并且根据SCC正确定义。是否有关于我的模板YAML的问题?
希望这有助于您解决问题。如果您需要更多帮助或建议,请告诉我。
英文:
I am trying to deploy some applications using deploymentConfig. Below is the simplified version of yaml file for postgres.
apiVersion: template.openshift.io/v1
kind: Template
labels:
template: postgres
message: |-
To test deployment for postgres.
metadata:
annotations:
description: Deploys postgress on Openshift.
openshift.io/display-name: postgress
openshift.io/long-description: postgres
openshift.io/provider-display-name: xxxx
tags: database
template.openshift.io/bindable: "false"
name: postgres
objects:
- apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
annotations:
template.alpha.openshift.io/wait-for-ready: 'true'
labels:
app: ${APPLICATION_NAME}
template: postgresql-ephemeral-template
name: ${POSTGRESQL_HOST}
spec:
replicas: 1
selector:
name: ${POSTGRESQL_HOST}
strategy:
type: Recreate
template:
metadata:
labels:
name: ${POSTGRESQL_HOST}
spec:
containers:
- env:
- name: POSTGRESQL_USER
valueFrom:
secretKeyRef:
key: database-user
name: postgresql
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
key: database-password
name: postgresql
- name: POSTGRESQL_DATABASE
valueFrom:
secretKeyRef:
key: database-name
name: postgresql
image: rhel8/postgresql-12
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- "/usr/libexec/check-container"
- "--live"
initialDelaySeconds: 120
timeoutSeconds: 10
name: ${POSTGRESQL_HOST}
ports:
- containerPort: 5432
protocol: TCP
readinessProbe:
exec:
command:
- "/usr/libexec/check-container"
initialDelaySeconds: 5
timeoutSeconds: 1
resources:
limits:
memory: 1Gi
securityContext:
capabilities: {}
privileged: false
terminationMessagePath: /dev/termination-log
volumeMounts:
- mountPath: /var/lib/pgsql/data
name: postgresql-data
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
runAsUser: 2222
runAsGroup: 1111
terminationGracePeriodSeconds: 30
volumes:
- name: postgresql-data
persistentVolumeClaim:
claimName: ${PERSISTENT_VOLUME_CLAIM_DB}
triggers:
- imageChangeParams:
automatic: true
containerNames:
- ${POSTGRESQL_HOST}
from:
kind: ImageStreamTag
name: postgresql:12
namespace: airflow-data-factory
type: ImageChange
- type: ConfigChange
- apiVersion: v1
stringData:
database-name: ${POSTGRESQL_DATABASE}
database-password: ${POSTGRESQL_PASSWORD}
database-user: ${POSTGRESQL_USER}
connection-string: postgresql+psycopg2://${POSTGRESQL_USER}:${POSTGRESQL_PASSWORD}@${POSTGRESQL_HOST}:5432/${POSTGRESQL_DATABASE}
result-backend: db+postgresql://${POSTGRESQL_USER}:${POSTGRESQL_PASSWORD}@${POSTGRESQL_HOST}:5432/${POSTGRESQL_DATABASE}
kind: Secret
metadata:
labels:
app: ${APPLICATION_NAME}
template: postgresql-ephemeral-template
name: postgresql
type: Opaque
- apiVersion: v1
kind: Service
metadata:
labels:
app: ${APPLICATION_NAME}
template: postgresql-ephemeral-template
name: ${POSTGRESQL_HOST}
spec:
ports:
- name: ${POSTGRESQL_HOST}
port: 5432
protocol: TCP
targetPort: 5432
selector:
name: ${POSTGRESQL_HOST}
sessionAffinity: None
type: ClusterIP
status:
loadBalancer: {}
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ${PERSISTENT_VOLUME_CLAIM_DB}
namespace: airflow-data-factory
spec:
storageClassName: openshift-trident-ext4
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: ${PERSISTENT_VOLUME_CLAIM_DB_SIZE}
parameters:
- description: Name of the application
displayName: Application name
name: APPLICATION_NAME
value: postgres
- description: PostgreSQL host
displayName: PostgreSQL hostname
name: POSTGRESQL_HOST
value: postgresql
required: true
- description: Username for PostgreSQL user that will be used for accessing the database
displayName: PostgreSQL connection username
from: 'user[a-z0-9]{5}'
generate: expression
name: POSTGRESQL_USER
required: true
- description: Password for the PostgreSQL connection user
displayName: PostgreSQL connection password
from: '[a-zA-Z0-9]{16}'
generate: expression
name: POSTGRESQL_PASSWORD
required: true
- description: Database name for PostgreSQL database
displayName: PostgreSQL connection database
from: 'airflow[a-z0-9]{5}'
generate: expression
name: POSTGRESQL_DATABASE
required: true
- description: Attached PERSISTENT volume claim name for storing metadata in PostgreSQL database
displayName: PERSISTENT volume claim name (database)
name: PERSISTENT_VOLUME_CLAIM_DB
value: storage-db-pvc
- description: Size of the metadata volume storage
displayName: Metadata volume storage size
name: PERSISTENT_VOLUME_CLAIM_DB_SIZE
value: "1Gi"
When I execute this template, I am getting following error:
Stop retrying: couldn't create deployer pod for "zzzzzzzzzz/postgresql-7": admission webhook "validate.kyverno.something-ignore" denied the request: policy Pod/namespace_name/postgresql-7-deploy for resource violations: add-securitycontext: update-runasgroup: The runAsGroup does not match the field value from the annotation in the namespace. ensure-readonly-lustre: ensure-readonly-lustre: preconditions not met
I have rechecked runAsUser and runAsGroup. And it is defined correctly according to scc.
Any help or suggestions would be greatly welcomed.
it failed with error to update runAsGroup but i am sure that it is correct. Is there amy problem with my template yaml?
答案1
得分: 0
"Basically, runAsUser and runAsGroup violate OpenShift policies. In other words, you can't use them with OpenShift.
What is happening in OpenShift, it creates a random (big number, always >1000) user id which runs your pod and assigns it to the root group (id 0).
So you need to adjust your images so that permissions allow to run it by someone belonging to the root group.
Now, for your particular case, start with removing securityContext completely and see what happens - it may just work as is. If not, look at what resources need access by the user running the container and make sure they are accessible by a user with groupid 0."
英文:
Basically, runAsUser and runAsGroup violate OpenShift policies. In other words, you can't use them with OpenShift.
What is happening in OpenShift, it creates a random (big number, always >1000) user id which runs your pod and assigns it to the root group (id 0).
So you need to adjust your images so that permissions allow to run it by someone belonging to the root group.
Now, for your particular case, start with removing securityContext completely and see what happens - it may just work as is. If not, look at what resources need access by the user running the container and make sure they are accessible by a user with groupid 0.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论