[Bug]: Installation OpenShift (OCP) - Forbidden : Unable to validate against any security context constraint

[mgpradeepa]

What happened

Installed Nessie on k8s in Openshift Container Platform (OCP) environment using helm charts.
The below issue is observed on the logs.

message: 'pods "nessie-7d676c98dd-" is forbidden: unable to validate against any
security context constraint: [pod.metadata.annotations[seccomp.security.alpha.kubernetes.io/pod]:
Forbidden: seccomp may not be set, pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/nessie]:
Forbidden: seccomp may not be set, provider restricted-v2: .spec.securityContext.fsGroup:
Invalid value: []int64{10001}: 10001 is not an allowed group, provider restricted-v2:
.containers[0].runAsUser: Invalid value: 10000: must be in the ranges: [1000750000,
1000759999], provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider
"nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid":
Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid-v2":
Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler":
Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2":
Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden:
not usable by user or serviceaccount, provider "hostaccess": Forbidden: not
usable by user or serviceaccount, provider "insights-runtime-extractor-scc":
Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden:
not usable by user or serviceaccount, provider "privileged": Forbidden: not
usable by user or serviceaccount]'
reason: FailedCreate
status: "True"
type: ReplicaFailure

Primarily Nessie expects the runAsUser as 10000 and runAsGroup to be 10001. However OCP Env supports the range only from 1000750000 to 1000759999]

Due to these conflicts, installation fails.

Looking for the fix to successfully install.

How to reproduce it

Installation using helm charts on OCP env.

Nessie server type (docker/uber-jar/built from source) and version

docker image with Nessie helm charts.

Client type (Ex: UI/Spark/pynessie ...) and version

No response

Additional information

No response

#labels

[adutra]

Hi @mgpradeepa thanks for reporting this!

For OpenShift, I recommend tweaking the security contexts and deleting fsGroup, runAsUser and runAsGroup. OpenShift automatically assigns runAsUser and fsGroup to valid values, and these should work with the default Nessie image.

Example:

podSecurityContext:
  seccompProfile:
    type: RuntimeDefault

securityContext:
  runAsNonRoot: true
  privileged: false
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop:
      - ALL

[mgpradeepa]

Hi @adutra Will try the recommended steps. I remember we had tried these. Let me check once again and confirm .

[mgpradeepa]

The above suggested steps solved the problem of assigning the runAsUser and fsGroup automatically from OpenShift.
Permission issue started when tried to tail the logs.

The version we were using so far was 0.104.1.

Once we upgraded the image from 0.104.1 to 0.105.1 the issue got resolved and we are able to see the nessie GUI.
@adutra , thanks for your support.

[mgpradeepa]

Closing the ticket as the issue is resolved.