Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fsGroup is not always permitted #247

Closed
ebaron opened this issue Sep 1, 2021 · 1 comment · Fixed by #252
Closed

fsGroup is not always permitted #247

ebaron opened this issue Sep 1, 2021 · 1 comment · Fixed by #252
Labels
bug Something isn't working
Milestone
2.0.0

Comments

@ebaron
Copy link
Member

ebaron commented Sep 1, 2021

It seems that a fix beyond #244 is needed to solve #243 in all cluster configurations.

In OpenShift, SecurityContextConstraints can forbid the fsGroup value we added:

Error creating: pods "cryostat-sample-775b9b7d9d-" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{18500}: 18500 is not an allowed group]

https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html#security-context-constraints-pre-allocated-values_configuring-internal-oauth

There are also PodSecurityPolicies, where a range of GIDs can be specified for allowable fsGroup values:
https://kubernetes.io/docs/concepts/policy/pod-security-policy/
@ebaron ebaron added this to the 2.0.0 milestone Sep 1, 2021
@ebaron ebaron added the bug Something isn't working label Sep 1, 2021
@ebaron
Copy link
Member Author

ebaron commented Sep 2, 2021

From testing on two OpenShift clusters, it seems that the issue only comes up in namespaces other than default. It sounds similar to #180 (comment).

@ebaron ebaron mentioned this issue Sep 2, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
2.0.0
Development

Successfully merging a pull request may close this issue.

fix(pvc): derive fsGroup from SCC annotation ebaron/cryostat-operator
1 participant
@ebaron