NGF fails to deploy on Openshift #1674

bjee19 · 2024-03-12T20:57:35Z

Describe the bug
NGF fails to deploy on Openshift when using helm chart

output:

[cloud-user@ocp-provisioner nginx-gateway-fabric]$ helm install ngf oci://ghcr.io/nginxinc/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway
Pulled: ghcr.io/nginxinc/charts/nginx-gateway-fabric:1.1.0
Digest: sha256:2a3aa5e2b61334a135b909f389b190ed9514b2d77c529068eb3bef4e08d0f7ec
W0312 16:49:51.427508   14348 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx-gateway" must not include "KILL" in securityContext.capabilities.add), seccompProfile (pod or containers "nginx-gateway", "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Deployment is created with this condition:

status:
  conditions:
  - lastTransitionTime: "2024-03-12T20:49:51Z"
    lastUpdateTime: "2024-03-12T20:49:51Z"
    message: Created new replica set "ngf-nginx-gateway-fabric-777dc84497"
    reason: NewReplicaSetCreated
    status: "True"
    type: Progressing
  - lastTransitionTime: "2024-03-12T20:49:51Z"
    lastUpdateTime: "2024-03-12T20:49:51Z"
    message: Deployment does not have minimum availability.
    reason: MinimumReplicasUnavailable
    status: "False"
    type: Available
  - lastTransitionTime: "2024-03-12T20:49:51Z"
    lastUpdateTime: "2024-03-12T20:49:51Z"
    message: 'pods "ngf-nginx-gateway-fabric-777dc84497-" is forbidden: unable to
      validate against any security context constraint: [provider "anyuid": Forbidden:
      not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup:
      Invalid value: []int64{1001}: 1001 is not an allowed group, spec.containers[0].securityContext.runAsUser:
      Invalid value: 102: must be in the ranges: [1000700000, 1000709999], spec.containers[0].securityContext.capabilities.add:
      Invalid value: "KILL": capability may not be added, spec.containers[1].securityContext.runAsUser:
      Invalid value: 101: must be in the ranges: [1000700000, 1000709999], provider
      "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2":
      Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden:
      not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden:
      not usable by user or serviceaccount, provider "machine-api-termination-handler":
      Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2":
      Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden:
      not usable by user or serviceaccount, provider "hostaccess": Forbidden: not
      usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable
      by user or serviceaccount, provider "privileged": Forbidden: not usable by user
      or serviceaccount]'
    reason: FailedCreate
    status: "True"
    type: ReplicaFailure
  observedGeneration: 1
  unavailableReplicas: 1

To Reproduce

Create Openshift cluster
Install gateway api resources
Run helm install ngf oci://ghcr.io/nginxinc/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway

Expected behavior
NGF deploys correctly.

Your environment

Version of the NGINX Gateway Fabric - 1.1.0
Version of Kubernetes - 1.25.10
Kubernetes platform (e.g. Mini-kube or GCP) - Openshift v4.12.20

The text was updated successfully, but these errors were encountered:

sjberman · 2024-03-12T20:58:25Z

Ah of course, OpenShift. We'll need to create a SecurityContextConstraint that has the proper permissions to deploy NGF.

sy-be · 2024-04-19T09:46:29Z

Would be great to have this documented and why we need these extra capabilities, especially the KILL.

mpstefan · 2024-04-22T15:36:12Z

We may be able to look at NIC's SCC available here

sjberman · 2024-05-02T16:38:27Z

We'll also probably require a field in our helm chart to say whether we are on kubernetes or openshift to determine whether or not to create the SCC when installing.

An update to our installation docs will be required to explain this, and we should also add a reference doc to describe the permissions we use and why we use them.

github-project-automation bot added this to NGINX Gateway Fabric Mar 12, 2024

github-project-automation bot moved this to 🆕 New in NGINX Gateway Fabric Mar 12, 2024

mpstefan added this to the v1.3.0 milestone Mar 21, 2024

mpstefan added enhancement New feature or request refined Requirements are refined and the issue is ready to be implemented. labels Apr 22, 2024

mpstefan added the size/medium Estimated to be completed within a week label Apr 22, 2024

bjee19 self-assigned this May 7, 2024

bjee19 moved this from 🆕 New to 🏗 In Progress in NGINX Gateway Fabric May 7, 2024

bjee19 mentioned this issue May 15, 2024

Allow NGF to run on Openshift #1976

Merged

6 tasks

bjee19 moved this from 🏗 In Progress to 👀 In Review in NGINX Gateway Fabric May 17, 2024

bjee19 mentioned this issue May 20, 2024

Add references document defining NGF permissions #1985

Open

bjee19 closed this as completed in #1976 May 28, 2024

github-project-automation bot moved this from 👀 In Review to ✅ Done in NGINX Gateway Fabric May 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

NGF fails to deploy on Openshift #1674

NGF fails to deploy on Openshift #1674

bjee19 commented Mar 12, 2024 •

edited

Loading

sjberman commented Mar 12, 2024

sy-be commented Apr 19, 2024

mpstefan commented Apr 22, 2024

sjberman commented May 2, 2024

NGF fails to deploy on Openshift #1674

NGF fails to deploy on Openshift #1674

Comments

bjee19 commented Mar 12, 2024 • edited Loading

sjberman commented Mar 12, 2024

sy-be commented Apr 19, 2024

mpstefan commented Apr 22, 2024

sjberman commented May 2, 2024

bjee19 commented Mar 12, 2024 •

edited

Loading