Flux: Make `fluxctl install` work with Open Shift

Created on 2 Dec 2019  路  6Comments  路  Source: fluxcd/flux

Describe the bug
When i run the following against open shift:

fluxctl install \
--git-user=${GHUSER} \
--git-email=${GHUSER}@users.noreply.github.com \
[email protected]:${GHUSER}/flux-get-started \
--git-path=namespaces,workloads \
--namespace=flux | oc apply -f -

(same issue if you use kubectl instead of oc)

The flux pod starts ok but the memcache pod fails to start. Looking at why i see the following:

pods "memcached-78f7c9df46-" is forbidden: unable to validate against
any security context constraint:
[spec.containers[0].securityContext.securityContext.runAsUser: Invalid
value: 11211: must be in the ranges: [1000510000, 1000519999]]

To Reproduce
Run the command above against an OpenShift cluster.

Expected behavior
I would expect flux and memcached to start and deploy podinfo (from the sample repo)

Additional context
I have got this working by manually changing the yaml to comment out/remove the security context entry for the memcached deployment:

        ports:
        - name: clients
          containerPort: 11211
        #securityContext:
        #  runAsUser: 11211
        #  runAsGroup: 11211
        #  allowPrivilegeEscalation: false

If you now run the yaml in memcached starts. With this change OpenShift will assign the memcached pods to the restricted SCC.

We could make this more explicit by creating a service account for memcached and explicitly assign that to an SCC (either restricted or nonroot) when targetting openshift.

This also relates to #1125

enhancement help wanted
Source
picture richardcase
👍2

Most helpful comment

Hey is there any update on this :) ?

picture Numblesix on 22 May 2020
👍4

All 6 comments

As i have this working i am happy to make the fix

richardcase picture richardcase on 2 Dec 2019

As i have this working i am happy to make the fix

That would be fantastic!

and explicitly assign that to an SCC (either restricted or nonroot) when targetting openshift.

The problem is that fluxctl install doesn't know what you are using the yamls for

2opremio picture 2opremio on 2 Dec 2019

The problem is that fluxctl install doesn't know what you are using the yamls for

I've added a --oc flag in my changes so that we can:

fluxctl install \
--git-user=${GHUSER} \
--git-email=${GHUSER}@users.noreply.github.com \
[email protected]:${GHUSER}/flux-get-started \
--git-path=namespaces,workloads \
--namespace=flux  --oc | oc apply -f -

Or do you think something like --target oc would be better?

richardcase picture richardcase on 2 Dec 2019

Or do you think something like --target oc would be better?

Sorry this went unanswered. --oc is fine

2opremio picture 2opremio on 9 Jan 2020
👍1

Hey is there any update on this :) ?

Numblesix picture Numblesix on 22 May 2020
👍4

Change has been merged. It looks like flag should be --add-security-context=false @Numblesix

KrisJohnstone picture KrisJohnstone on 15 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

cloudpea picture cloudpea  路  3Comments
eimarfandino picture eimarfandino  路  3Comments
anwarchk picture anwarchk  路  4Comments
astraldragon picture astraldragon  路  3Comments
leroy0211 picture leroy0211  路  3Comments