无法在OpenShift中创建Pod(runAsGroup与命名空间中的注释字段值不匹配)。

huangapple go评论77阅读模式
英文:

Not able to create pod in openshift (The runAsGroup does not match the field value from the annotation in the namespace)

问题

您正在尝试使用deploymentConfig部署一些应用程序。以下是用于PostgreSQL的YAML文件的简化版本。

apiVersion: template.openshift.io/v1
kind: Template
labels:
  template: postgres
message: |- 
  用于测试在Openshift上部署PostgreSQL。
metadata:
  annotations:
    description: 在Openshift上部署PostgreSQL。
    openshift.io/display-name: PostgreSQL
    openshift.io/long-description: PostgreSQL
    openshift.io/provider-display-name: xxxx
    tags: 数据库
    template.openshift.io/bindable: "false"
  name: PostgreSQL
objects:
# 其他对象的部分未翻译
# ...

parameters:
- description: 应用程序名称
  displayName: 应用程序名称
  name: APPLICATION_NAME
  value: postgres
- description: PostgreSQL主机
  displayName: PostgreSQL主机名
  name: POSTGRESQL_HOST
  value: postgresql
  required: true
- description: PostgreSQL连接用户名
  displayName: PostgreSQL连接用户名
  from: 'user[a-z0-9]{5}'
  generate: expression
  name: POSTGRESQL_USER
  required: true
- description: PostgreSQL连接密码
  displayName: PostgreSQL连接密码
  from: '[a-zA-Z0-9]{16}'
  generate: expression
  name: POSTGRESQL_PASSWORD
  required: true
- description: PostgreSQL数据库名称
  displayName: PostgreSQL连接数据库
  from: 'airflow[a-z0-9]{5}'
  generate: expression
  name: POSTGRESQL_DATABASE
  required: true
- description: 用于存储PostgreSQL数据库中元数据的PERSISTENT卷声明名称
  displayName: PERSISTENT卷声明名称(数据库)
  name: PERSISTENT_VOLUME_CLAIM_DB
  value: storage-db-pvc
- description: 元数据卷存储大小
  displayName: 元数据卷存储大小
  name: PERSISTENT_VOLUME_CLAIM_DB_SIZE
  value: "1Gi"

当我执行此模板时,我收到以下错误消息:

停止重试:无法为“zzzzzzzzzz/postgresql-7”创建部署器Pod:验证webhook“validate.kyverno.something-ignore”拒绝了请求:策略Pod/namespace_name/postgresql-7-deploy违反了资源:add-securitycontext:update-runasgroup:runAsGroup与命名空间中注释的字段值不匹配。ensure-readonly-lustre:ensure-readonly-lustre:未满足前提条件。

我已经重新检查了runAsUser和runAsGroup,并且根据SCC正确定义。是否有关于我的模板YAML的问题?

希望这有助于您解决问题。如果您需要更多帮助或建议,请告诉我。

英文:

I am trying to deploy some applications using deploymentConfig. Below is the simplified version of yaml file for postgres.

apiVersion: template.openshift.io/v1
kind: Template
labels:
  template: postgres
message: |-
  To test deployment for postgres.
metadata:
  annotations:
    description: Deploys postgress on Openshift.
    openshift.io/display-name: postgress
    openshift.io/long-description: postgres
    openshift.io/provider-display-name: xxxx
    tags: database
    template.openshift.io/bindable: "false"
  name: postgres    
objects:

- apiVersion: apps.openshift.io/v1
  kind: DeploymentConfig
  metadata:
    annotations:
      template.alpha.openshift.io/wait-for-ready: 'true'
    labels:
      app: ${APPLICATION_NAME}
      template: postgresql-ephemeral-template
    name: ${POSTGRESQL_HOST}
  spec:
    replicas: 1
    selector:
      name: ${POSTGRESQL_HOST}
    strategy:
      type: Recreate
    template:
      metadata:
        labels:
          name: ${POSTGRESQL_HOST}
      spec:
        containers:
        - env:
          - name: POSTGRESQL_USER
            valueFrom:
              secretKeyRef:
                key: database-user
                name: postgresql
          - name: POSTGRESQL_PASSWORD
            valueFrom:
              secretKeyRef:
                key: database-password
                name: postgresql
          - name: POSTGRESQL_DATABASE
            valueFrom:
              secretKeyRef:
                key: database-name
                name: postgresql
          image: rhel8/postgresql-12
          imagePullPolicy: IfNotPresent
          livenessProbe:
            exec:
              command:
              - "/usr/libexec/check-container"
              - "--live"
            initialDelaySeconds: 120
            timeoutSeconds: 10
          name: ${POSTGRESQL_HOST}
          ports:
          - containerPort: 5432
            protocol: TCP
          readinessProbe:
            exec:
              command:
              - "/usr/libexec/check-container"
            initialDelaySeconds: 5
            timeoutSeconds: 1
          resources:
            limits:
              memory: 1Gi
          securityContext: 
            capabilities: {}
            privileged: false
          terminationMessagePath: /dev/termination-log
          volumeMounts:
          - mountPath: /var/lib/pgsql/data
            name: postgresql-data
        dnsPolicy: ClusterFirst
        restartPolicy: Always
        schedulerName: default-scheduler
        securityContext: 
          runAsUser: 2222
          runAsGroup: 1111
        terminationGracePeriodSeconds: 30
        volumes:
        - name: postgresql-data
          persistentVolumeClaim:
            claimName: ${PERSISTENT_VOLUME_CLAIM_DB}

    triggers:
    - imageChangeParams:
        automatic: true
        containerNames:
        - ${POSTGRESQL_HOST}
        from:
          kind: ImageStreamTag
          name: postgresql:12
          namespace: airflow-data-factory
      type: ImageChange
    - type: ConfigChange

- apiVersion: v1
  stringData:
    database-name: ${POSTGRESQL_DATABASE}
    database-password: ${POSTGRESQL_PASSWORD}
    database-user: ${POSTGRESQL_USER}
    connection-string: postgresql+psycopg2://${POSTGRESQL_USER}:${POSTGRESQL_PASSWORD}@${POSTGRESQL_HOST}:5432/${POSTGRESQL_DATABASE}
    result-backend: db+postgresql://${POSTGRESQL_USER}:${POSTGRESQL_PASSWORD}@${POSTGRESQL_HOST}:5432/${POSTGRESQL_DATABASE}
  kind: Secret
  metadata:
    labels:
      app: ${APPLICATION_NAME}
      template: postgresql-ephemeral-template
    name: postgresql
  type: Opaque

- apiVersion: v1
  kind: Service
  metadata:
    labels:
      app: ${APPLICATION_NAME}
      template: postgresql-ephemeral-template
    name: ${POSTGRESQL_HOST}
  spec:
    ports:
    - name: ${POSTGRESQL_HOST}
      port: 5432
      protocol: TCP
      targetPort: 5432
    selector:
      name: ${POSTGRESQL_HOST}
    sessionAffinity: None
    type: ClusterIP
  status:
    loadBalancer: {}

- apiVersion: v1
  kind: PersistentVolumeClaim
  metadata:
    name: ${PERSISTENT_VOLUME_CLAIM_DB}
    namespace: airflow-data-factory
  spec:
    storageClassName: openshift-trident-ext4
    accessModes:
      - "ReadWriteOnce"
    resources:
      requests:
        storage: ${PERSISTENT_VOLUME_CLAIM_DB_SIZE}

parameters:
- description: Name of the application
  displayName: Application name
  name: APPLICATION_NAME
  value: postgres
- description: PostgreSQL host
  displayName: PostgreSQL hostname
  name: POSTGRESQL_HOST
  value: postgresql
  required: true
- description: Username for PostgreSQL user that will be used for accessing the database
  displayName: PostgreSQL connection username
  from: 'user[a-z0-9]{5}'
  generate: expression
  name: POSTGRESQL_USER
  required: true
- description: Password for the PostgreSQL connection user
  displayName: PostgreSQL connection password
  from: '[a-zA-Z0-9]{16}'
  generate: expression
  name: POSTGRESQL_PASSWORD
  required: true
- description: Database name for PostgreSQL database
  displayName: PostgreSQL connection database
  from: 'airflow[a-z0-9]{5}'
  generate: expression
  name: POSTGRESQL_DATABASE
  required: true
- description: Attached PERSISTENT volume claim name for storing metadata in PostgreSQL database
  displayName: PERSISTENT volume claim name (database)
  name: PERSISTENT_VOLUME_CLAIM_DB
  value: storage-db-pvc
- description: Size of the metadata volume storage
  displayName: Metadata volume storage size
  name: PERSISTENT_VOLUME_CLAIM_DB_SIZE
  value: "1Gi"



When I execute this template, I am getting following error:

Stop retrying: couldn't create deployer pod for "zzzzzzzzzz/postgresql-7": admission webhook "validate.kyverno.something-ignore" denied the request: policy Pod/namespace_name/postgresql-7-deploy for resource violations: add-securitycontext: update-runasgroup: The runAsGroup does not match the field value from the annotation in the namespace. ensure-readonly-lustre: ensure-readonly-lustre: preconditions not met

I have rechecked runAsUser and runAsGroup. And it is defined correctly according to scc.
Any help or suggestions would be greatly welcomed.

it failed with error to update runAsGroup but i am sure that it is correct. Is there amy problem with my template yaml?

答案1

得分: 0

"Basically, runAsUser and runAsGroup violate OpenShift policies. In other words, you can't use them with OpenShift.

What is happening in OpenShift, it creates a random (big number, always >1000) user id which runs your pod and assigns it to the root group (id 0).

So you need to adjust your images so that permissions allow to run it by someone belonging to the root group.

Now, for your particular case, start with removing securityContext completely and see what happens - it may just work as is. If not, look at what resources need access by the user running the container and make sure they are accessible by a user with groupid 0."

英文:

Basically, runAsUser and runAsGroup violate OpenShift policies. In other words, you can't use them with OpenShift.

What is happening in OpenShift, it creates a random (big number, always >1000) user id which runs your pod and assigns it to the root group (id 0).

So you need to adjust your images so that permissions allow to run it by someone belonging to the root group.

Now, for your particular case, start with removing securityContext completely and see what happens - it may just work as is. If not, look at what resources need access by the user running the container and make sure they are accessible by a user with groupid 0.

huangapple
  • 本文由 发表于 2023年4月19日 21:44:07
  • 转载请务必保留本文链接:https://go.coder-hub.com/76055279.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定