英文:
Not able to create pod in openshift (The runAsGroup does not match the field value from the annotation in the namespace)
问题
您正在尝试使用deploymentConfig部署一些应用程序。以下是用于PostgreSQL的YAML文件的简化版本。
apiVersion: template.openshift.io/v1kind: Templatelabels:template: postgresmessage: |-用于测试在Openshift上部署PostgreSQL。metadata:annotations:description: 在Openshift上部署PostgreSQL。openshift.io/display-name: PostgreSQLopenshift.io/long-description: PostgreSQLopenshift.io/provider-display-name: xxxxtags: 数据库template.openshift.io/bindable: "false"name: PostgreSQLobjects:# 其他对象的部分未翻译# ...parameters:- description: 应用程序名称displayName: 应用程序名称name: APPLICATION_NAMEvalue: postgres- description: PostgreSQL主机displayName: PostgreSQL主机名name: POSTGRESQL_HOSTvalue: postgresqlrequired: true- description: PostgreSQL连接用户名displayName: PostgreSQL连接用户名from: 'user[a-z0-9]{5}'generate: expressionname: POSTGRESQL_USERrequired: true- description: PostgreSQL连接密码displayName: PostgreSQL连接密码from: '[a-zA-Z0-9]{16}'generate: expressionname: POSTGRESQL_PASSWORDrequired: true- description: PostgreSQL数据库名称displayName: PostgreSQL连接数据库from: 'airflow[a-z0-9]{5}'generate: expressionname: POSTGRESQL_DATABASErequired: true- description: 用于存储PostgreSQL数据库中元数据的PERSISTENT卷声明名称displayName: PERSISTENT卷声明名称(数据库)name: PERSISTENT_VOLUME_CLAIM_DBvalue: storage-db-pvc- description: 元数据卷存储大小displayName: 元数据卷存储大小name: PERSISTENT_VOLUME_CLAIM_DB_SIZEvalue: "1Gi"
当我执行此模板时,我收到以下错误消息:
停止重试:无法为“zzzzzzzzzz/postgresql-7”创建部署器Pod:验证webhook“validate.kyverno.something-ignore”拒绝了请求:策略Pod/namespace_name/postgresql-7-deploy违反了资源:add-securitycontext:update-runasgroup:runAsGroup与命名空间中注释的字段值不匹配。ensure-readonly-lustre:ensure-readonly-lustre:未满足前提条件。
我已经重新检查了runAsUser和runAsGroup,并且根据SCC正确定义。是否有关于我的模板YAML的问题?
希望这有助于您解决问题。如果您需要更多帮助或建议,请告诉我。
英文:
I am trying to deploy some applications using deploymentConfig. Below is the simplified version of yaml file for postgres.
apiVersion: template.openshift.io/v1kind: Templatelabels:template: postgresmessage: |-To test deployment for postgres.metadata:annotations:description: Deploys postgress on Openshift.openshift.io/display-name: postgressopenshift.io/long-description: postgresopenshift.io/provider-display-name: xxxxtags: databasetemplate.openshift.io/bindable: "false"name: postgresobjects:- apiVersion: apps.openshift.io/v1kind: DeploymentConfigmetadata:annotations:template.alpha.openshift.io/wait-for-ready: 'true'labels:app: ${APPLICATION_NAME}template: postgresql-ephemeral-templatename: ${POSTGRESQL_HOST}spec:replicas: 1selector:name: ${POSTGRESQL_HOST}strategy:type: Recreatetemplate:metadata:labels:name: ${POSTGRESQL_HOST}spec:containers:- env:- name: POSTGRESQL_USERvalueFrom:secretKeyRef:key: database-username: postgresql- name: POSTGRESQL_PASSWORDvalueFrom:secretKeyRef:key: database-passwordname: postgresql- name: POSTGRESQL_DATABASEvalueFrom:secretKeyRef:key: database-namename: postgresqlimage: rhel8/postgresql-12imagePullPolicy: IfNotPresentlivenessProbe:exec:command:- "/usr/libexec/check-container"- "--live"initialDelaySeconds: 120timeoutSeconds: 10name: ${POSTGRESQL_HOST}ports:- containerPort: 5432protocol: TCPreadinessProbe:exec:command:- "/usr/libexec/check-container"initialDelaySeconds: 5timeoutSeconds: 1resources:limits:memory: 1GisecurityContext:capabilities: {}privileged: falseterminationMessagePath: /dev/termination-logvolumeMounts:- mountPath: /var/lib/pgsql/dataname: postgresql-datadnsPolicy: ClusterFirstrestartPolicy: AlwaysschedulerName: default-schedulersecurityContext:runAsUser: 2222runAsGroup: 1111terminationGracePeriodSeconds: 30volumes:- name: postgresql-datapersistentVolumeClaim:claimName: ${PERSISTENT_VOLUME_CLAIM_DB}triggers:- imageChangeParams:automatic: truecontainerNames:- ${POSTGRESQL_HOST}from:kind: ImageStreamTagname: postgresql:12namespace: airflow-data-factorytype: ImageChange- type: ConfigChange- apiVersion: v1stringData:database-name: ${POSTGRESQL_DATABASE}database-password: ${POSTGRESQL_PASSWORD}database-user: ${POSTGRESQL_USER}connection-string: postgresql+psycopg2://${POSTGRESQL_USER}:${POSTGRESQL_PASSWORD}@${POSTGRESQL_HOST}:5432/${POSTGRESQL_DATABASE}result-backend: db+postgresql://${POSTGRESQL_USER}:${POSTGRESQL_PASSWORD}@${POSTGRESQL_HOST}:5432/${POSTGRESQL_DATABASE}kind: Secretmetadata:labels:app: ${APPLICATION_NAME}template: postgresql-ephemeral-templatename: postgresqltype: Opaque- apiVersion: v1kind: Servicemetadata:labels:app: ${APPLICATION_NAME}template: postgresql-ephemeral-templatename: ${POSTGRESQL_HOST}spec:ports:- name: ${POSTGRESQL_HOST}port: 5432protocol: TCPtargetPort: 5432selector:name: ${POSTGRESQL_HOST}sessionAffinity: Nonetype: ClusterIPstatus:loadBalancer: {}- apiVersion: v1kind: PersistentVolumeClaimmetadata:name: ${PERSISTENT_VOLUME_CLAIM_DB}namespace: airflow-data-factoryspec:storageClassName: openshift-trident-ext4accessModes:- "ReadWriteOnce"resources:requests:storage: ${PERSISTENT_VOLUME_CLAIM_DB_SIZE}parameters:- description: Name of the applicationdisplayName: Application namename: APPLICATION_NAMEvalue: postgres- description: PostgreSQL hostdisplayName: PostgreSQL hostnamename: POSTGRESQL_HOSTvalue: postgresqlrequired: true- description: Username for PostgreSQL user that will be used for accessing the databasedisplayName: PostgreSQL connection usernamefrom: 'user[a-z0-9]{5}'generate: expressionname: POSTGRESQL_USERrequired: true- description: Password for the PostgreSQL connection userdisplayName: PostgreSQL connection passwordfrom: '[a-zA-Z0-9]{16}'generate: expressionname: POSTGRESQL_PASSWORDrequired: true- description: Database name for PostgreSQL databasedisplayName: PostgreSQL connection databasefrom: 'airflow[a-z0-9]{5}'generate: expressionname: POSTGRESQL_DATABASErequired: true- description: Attached PERSISTENT volume claim name for storing metadata in PostgreSQL databasedisplayName: PERSISTENT volume claim name (database)name: PERSISTENT_VOLUME_CLAIM_DBvalue: storage-db-pvc- description: Size of the metadata volume storagedisplayName: Metadata volume storage sizename: PERSISTENT_VOLUME_CLAIM_DB_SIZEvalue: "1Gi"
When I execute this template, I am getting following error:
Stop retrying: couldn't create deployer pod for "zzzzzzzzzz/postgresql-7": admission webhook "validate.kyverno.something-ignore" denied the request: policy Pod/namespace_name/postgresql-7-deploy for resource violations: add-securitycontext: update-runasgroup: The runAsGroup does not match the field value from the annotation in the namespace. ensure-readonly-lustre: ensure-readonly-lustre: preconditions not met
I have rechecked runAsUser and runAsGroup. And it is defined correctly according to scc.
Any help or suggestions would be greatly welcomed.
it failed with error to update runAsGroup but i am sure that it is correct. Is there amy problem with my template yaml?
答案1
得分: 0
"Basically, runAsUser and runAsGroup violate OpenShift policies. In other words, you can't use them with OpenShift.
What is happening in OpenShift, it creates a random (big number, always >1000) user id which runs your pod and assigns it to the root group (id 0).
So you need to adjust your images so that permissions allow to run it by someone belonging to the root group.
Now, for your particular case, start with removing securityContext completely and see what happens - it may just work as is. If not, look at what resources need access by the user running the container and make sure they are accessible by a user with groupid 0."
英文:
Basically, runAsUser and runAsGroup violate OpenShift policies. In other words, you can't use them with OpenShift.
What is happening in OpenShift, it creates a random (big number, always >1000) user id which runs your pod and assigns it to the root group (id 0).
So you need to adjust your images so that permissions allow to run it by someone belonging to the root group.
Now, for your particular case, start with removing securityContext completely and see what happens - it may just work as is. If not, look at what resources need access by the user running the container and make sure they are accessible by a user with groupid 0.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论