You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Essentially what we are observing is this helm chart enforces specific UID and GID for the running containers that do not match the predefined ranges in OpenShift and therefore fail with the following error:
# kubectl get events
17s Warning FailedCreate replicaset/og-common-temporal-worker-6cfb86c44d Error creating: pods "og-common-temporal-worker-6cfb86c44d-" is forbidden: unable to validate against any security context constraint: [provider "builder-scc": Forbidden: not usable by user or serviceaccount, provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1001650000, 1001659999], provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1001650000, 1001659999], provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "splunk-log-forwarder-scc": Forbidden: not usable by user or serviceaccount, provider "logging-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "etcd-backup-scc": Forbidden: not usable by user or serviceaccount, provider "newrelic-scc": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "velero-privileged": Forbidden: not usable by user or serviceaccount]
Describe the solution you'd like
Helm chart should not enforce a default uid or gid, users should inject these values if required
To get around this issue the following values file was used and confirmed to work
It's not unreasonable to default to running as the userid and groupid that are used by the default images. As you have mentioned, you can override this to have things working on openshift, so this does not preclude you from using the chart.
Is your feature request related to a problem? Please describe.
I attempted to deploy temporal via helm into an OpenShift cluster
Ran into issues running the temporal server and temporal ui containers on openshift due to security constraints (running on openshift - https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids)
Identified the root cause to be the following sections:
0.20.0
) #2 - added to issue: [Feature Request] Support for OpenShift docker-builds#241Essentially what we are observing is this helm chart enforces specific UID and GID for the running containers that do not match the predefined ranges in OpenShift and therefore fail with the following error:
Describe the solution you'd like
Helm chart should not enforce a default uid or gid, users should inject these values if required
To get around this issue the following values file was used and confirmed to work
Essentially I am unsetting the predefined values
The text was updated successfully, but these errors were encountered: