I am trying to deploy some applications using deploymentConfig. Below is the simplified version of yaml file for postgres.
apiVersion: template.openshift.io/v1
kind: Template
labels:
template: postgres
message: |-
To test deployment for postgres.
metadata:
annotations:
description: Deploys postgress on Openshift.
openshift.io/display-name: postgress
openshift.io/long-description: postgres
openshift.io/provider-display-name: xxxx
tags: database
template.openshift.io/bindable: "false"
name: postgres
objects:
- apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
annotations:
template.alpha.openshift.io/wait-for-ready: 'true'
labels:
app: ${APPLICATION_NAME}
template: postgresql-ephemeral-template
name: ${POSTGRESQL_HOST}
spec:
replicas: 1
selector:
name: ${POSTGRESQL_HOST}
strategy:
type: Recreate
template:
metadata:
labels:
name: ${POSTGRESQL_HOST}
spec:
containers:
- env:
- name: POSTGRESQL_USER
valueFrom:
secretKeyRef:
key: database-user
name: postgresql
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
key: database-password
name: postgresql
- name: POSTGRESQL_DATABASE
valueFrom:
secretKeyRef:
key: database-name
name: postgresql
image: rhel8/postgresql-12
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- "/usr/libexec/check-container"
- "--live"
initialDelaySeconds: 120
timeoutSeconds: 10
name: ${POSTGRESQL_HOST}
ports:
- containerPort: 5432
protocol: TCP
readinessProbe:
exec:
command:
- "/usr/libexec/check-container"
initialDelaySeconds: 5
timeoutSeconds: 1
resources:
limits:
memory: 1Gi
securityContext:
capabilities: {}
privileged: false
terminationMessagePath: /dev/termination-log
volumeMounts:
- mountPath: /var/lib/pgsql/data
name: postgresql-data
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
runAsUser: 2222
runAsGroup: 1111
terminationGracePeriodSeconds: 30
volumes:
- name: postgresql-data
persistentVolumeClaim:
claimName: ${PERSISTENT_VOLUME_CLAIM_DB}
triggers:
- imageChangeParams:
automatic: true
containerNames:
- ${POSTGRESQL_HOST}
from:
kind: ImageStreamTag
name: postgresql:12
namespace: airflow-data-factory
type: ImageChange
- type: ConfigChange
- apiVersion: v1
stringData:
database-name: ${POSTGRESQL_DATABASE}
database-password: ${POSTGRESQL_PASSWORD}
database-user: ${POSTGRESQL_USER}
connection-string: postgresql+psycopg2://${POSTGRESQL_USER}:${POSTGRESQL_PASSWORD}@${POSTGRESQL_HOST}:5432/${POSTGRESQL_DATABASE}
result-backend: db+postgresql://${POSTGRESQL_USER}:${POSTGRESQL_PASSWORD}@${POSTGRESQL_HOST}:5432/${POSTGRESQL_DATABASE}
kind: Secret
metadata:
labels:
app: ${APPLICATION_NAME}
template: postgresql-ephemeral-template
name: postgresql
type: Opaque
- apiVersion: v1
kind: Service
metadata:
labels:
app: ${APPLICATION_NAME}
template: postgresql-ephemeral-template
name: ${POSTGRESQL_HOST}
spec:
ports:
- name: ${POSTGRESQL_HOST}
port: 5432
protocol: TCP
targetPort: 5432
selector:
name: ${POSTGRESQL_HOST}
sessionAffinity: None
type: ClusterIP
status:
loadBalancer: {}
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ${PERSISTENT_VOLUME_CLAIM_DB}
namespace: airflow-data-factory
spec:
storageClassName: openshift-trident-ext4
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: ${PERSISTENT_VOLUME_CLAIM_DB_SIZE}
parameters:
- description: Name of the application
displayName: Application name
name: APPLICATION_NAME
value: postgres
- description: PostgreSQL host
displayName: PostgreSQL hostname
name: POSTGRESQL_HOST
value: postgresql
required: true
- description: Username for PostgreSQL user that will be used for accessing the database
displayName: PostgreSQL connection username
from: 'user[a-z0-9]{5}'
generate: expression
name: POSTGRESQL_USER
required: true
- description: Password for the PostgreSQL connection user
displayName: PostgreSQL connection password
from: '[a-zA-Z0-9]{16}'
generate: expression
name: POSTGRESQL_PASSWORD
required: true
- description: Database name for PostgreSQL database
displayName: PostgreSQL connection database
from: 'airflow[a-z0-9]{5}'
generate: expression
name: POSTGRESQL_DATABASE
required: true
- description: Attached PERSISTENT volume claim name for storing metadata in PostgreSQL database
displayName: PERSISTENT volume claim name (database)
name: PERSISTENT_VOLUME_CLAIM_DB
value: storage-db-pvc
- description: Size of the metadata volume storage
displayName: Metadata volume storage size
name: PERSISTENT_VOLUME_CLAIM_DB_SIZE
value: "1Gi"
When I execute this template, I am getting following error:
Stop retrying: couldn't create deployer pod for "zzzzzzzzzz/postgresql-7": admission webhook "validate.kyverno.something-ignore" denied the request: policy Pod/namespace_name/postgresql-7-deploy for resource violations: add-securitycontext: update-runasgroup: The runAsGroup does not match the field value from the annotation in the namespace. ensure-readonly-lustre: ensure-readonly-lustre: preconditions not met
I have rechecked runAsUser and runAsGroup. And it is defined correctly according to scc. Any help or suggestions would be greatly welcomed.
it failed with error to update runAsGroup but i am sure that it is correct. Is there amy problem with my template yaml?
Basically, runAsUser and runAsGroup violate OpenShift policies. In other words, you can't use them with OpenShift.
What is happening in OpenShift, it creates a random (big number, always >1000) user id which runs your pod and assigns it to the root group (id 0).
So you need to adjust your images so that permissions allow to run it by someone belonging to the root group.
Now, for your particular case, start with removing securityContext completely and see what happens - it may just work as is. If not, look at what resources need access by the user running the container and make sure they are accessible by a user with groupid 0.