Skip to main content

K8S/OPENSHIFT: POD CRASHING,SECURITY CONTEXT CONTRAINTS PROBLEM?

 


Your new daily given task is creating a new app in a new namespace. You investigated and found your image. Then you started to create your app. After app created you checked and realized that the your new apps pod is not starting!

Here look at this example. I Used gitlab here as an instance.

[ozgurk@myworkstation ~]$ oc new-app --name gitlab \
>    --docker-image quay.io/redhattraining/gitlab-ce:8.4.3-ce.0
--> Creating resources ...
    imagestream.image.openshift.io "gitlab" created
    deployment.apps "gitlab" created
    service "gitlab" created
--> Success

 Until here, everything looking normal. Check your pod status : 

[ozgurk@myworkstation ~]$ oc get pods
NAME                      READY   STATUS   RESTARTS   AGE
gitlab-6d61db3479-yyjl   0/1     Error    1          43s

As seen above, our pod is in a trouble. It's better to start investigation from pod logs.

[ozgurk@myworkstation ~]$ oc logs pod/gitlab-6d61db3479-yyjl 

================================================================================
Recipe Compile Error in /opt/gitlab/embedded/cookbooks/cache/cookbooks/gitlab/recipes/default.rb
================================================================================

Chef::Exceptions::InsufficientPermissions
-----------------------------------------
directory[/etc/gitlab] (gitlab::default line 26) had an error: Chef::Exceptions::InsufficientPermissions: Cannot create directory[/etc/gitlab] at /etc/gitlab due to insufficient permissions

As you see above, there is a permission issue occurred. So, next questions should be why and how to correct. 

In normal circumstances,  containerized apps doesn't need any special permission. But some apps need more permission than had their own to live and work. On a baremetal or vm instance you can correct permission problems by changing group, service account or basically chmoding chowning. But in a container, your actions will not work, because your actions will not persist with container due to normal life-cycle of the pods.

At first, you  must login as an admin, if you're already using an admin account, skip this  step:

[ozgurk@myworkstation ~]$ oc login -u myadmin -p myadminpassword
Login successful.

Then run the command below. your pod name will be different  than mine. Use your very own :)

[ozgurk@myworkstation ~]$ oc get pod/gitlab-6d61db3479-yyjl  -o yaml \
| oc adm policy scc-subject-review -f -
RESOURCE                      ALLOWED BY
Pod/gitlab-6d61db3479-yyjl   anyuid

By running the command we learned the required permission to run our pod.

In real, anyuid is a Security Context Constraints. For anyuid,  which means that the pod can run as any user ID available in the container. This  allows containers that require a specific user to run the commands using a specific user ID.

This is a very common scenario and problem. We will not create a spesific user on the container, already we cannot! For tihs reason we  must create a service account bound to a pod.

 To create a new service account and assign the anyuid SCC to it, run ;

[ozgurk@myworkstation ~]$ oc create sa gitlab-sa
serviceaccount/gitlab-sa created

After your service account created, bind it to anyuid SCC by a cluster policy 

[ozgurk@myworkstation ~]$ oc adm policy add-scc-to-user anyuid -z gitlab-sa
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:anyuid added: "gitlab-sa"

Assign your service account to your deployment : 

[ozgurk@myworkstation ~]$ oc set serviceaccount deployment/gitlab gitlab-sa
deployment.apps/gitlab serviceaccount updated

 The command above will update your deployment,  then your pod will be recreated with new settings.

[ozgurk@myworkstation ~]$ oc get pods
NAME                   READY   STATUS    RESTARTS   AGE
gitlab-43e3e31-yn3ge   1/1     Running   0          15s

Voila! Congratulations, your problem is solved now. Now , you're free to go what you want with your new app.



 

 

 

Labels:

Comments

Post a Comment

Popular posts from this blog

Openshift/K8S : Get routes hostnames and learn their reachability

  Undoubtedly, route have a key role to accessing your pods and their applications inside.  You may want to learn your whole Kubernetes or Openshift routes and their hostnames. Also you want to learn reachability of them. Here comes a shortcut! First step is creating a variable : hosts=$(oc get route -A \ -o jsonpath='{.items[*].spec.host}') You can ensure that just getting the hostnames,  rather than any other info by running : echo $hosts After this point we need a series of shell command to get names and HTTP status of our routes. For this task, write out the codes shown below :  for host in $hosts ; do \ curl https://$host -k -w "%{url_effective} %{http_code}\n" -o /dev/null -s ; \ done https://oauth-openshift.apps.ocp4.ozgurkkisa.com/ 403 https://console-openshift-console.apps.ocp4.ozgurkkisa.com/ 200 https://downloads-openshift-console.apps.ocp4.ozgurkkisa.com/ 200 https://alertmanager-main-openshift-monitoring.apps.ocp4.ozgurkkisa.com/ 403 https://grafan
Post a Comment
Read more

OPENSHIFT/K8S: Enable HTPasswd Authentication for your Openshift Cluster

 Openshift provides different kind of authentication mechanisms for authentication. Openshift comes with a default kubeadmin user as a factory default. In addition to default admin, in real world you want different users with different permission levels to separate roles.  You can use Ldap, Github or Github Enterprise, Keystone Server, OpenID Connect or HTPasswd authentication. All these methods are named as Identity providers.All methods are external solutions or requires additional servers/services to deploy to authenticate except HTPasswd authentication. HTPasswd authentication  consist of simple and locally managed password files. Simply, you define usernames and equivalent password for them. htpasswd file contains a list of users and their secrets. HTPasswd files keeps users password encrypted by several encryption algorithms like, MD5(default), SHA1, SHA256 and Bcrypt (Most secure for htpasswd.) Screenshot 1- A simple and sample htpasswd file A simple htpasswd file is similar to
Post a Comment
Read more