Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot install KGO on OpenShift #921

Open
simonregn opened this issue Dec 11, 2024 · 0 comments
Open

Cannot install KGO on OpenShift #921

simonregn opened this issue Dec 11, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@simonregn
Copy link

Current Behavior

I'm not able to install the Kong Gateway Operator in our OpenShift Cluster. The problem we face is the gateway-operator-admission-xyz Job. It is running as User 2000 and OpenShift does not allow it. Current workaround is only to let this Job run with privileged security-context-constraint

problematic Code area which needs to be adjusted:
https://github.com/Kong/gateway-operator/blob/v1.4.1/pkg/utils/kubernetes/resources/jobs.go#L83-L85

Generated from job-controller
4 times in the last 5 minutes
Error creating: pods "gateway-operator-admission-patch-ll8wr-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid value: 2000: must be in the ranges: [1000750000, 1000759999], provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "privileged-genevalogging": Forbidden: not usable by user or serviceaccount]

and

Error creating: pods "gateway-operator-admission-patch-8z4mq-" is forbidden: error looking up service account kong-system/gateway-operator-admission: serviceaccount "gateway-operator-admission" not found

Expected Behavior

the runAsUser should be set to null by default. This way OpenShift or probably any other K8s would decide on the User on it's own and assign it a value in the range [1001930000, 1001939999] (for OpenShift).

Operator Version

1.4.1 - Chart Version gateway-operator-0.4.1

kubectl version

v1.29.10+67d3387
@simonregn simonregn added the bug Something isn't working label Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@simonregn