Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-2235

OCP < 4.11: Dex pod in less privileged namespace fails to come up, citing containerconfigerror

XMLWordPrintable

    • 5
    • False
    • None
    • False
    • Previous GitOps releases were affected by an issue with dex pods failing with CreateContainerConfigError when a SCC of 'anyuid' is assigned to the dex serviceAccount. This issue is fixed by assigning a default user id to the dex container.
    • GITOPS Sprint 223, GITOPS Sprint 224

      Reliably (3 times now), using the following repo and branch:

      https://github.com/mhjacks/multicloud-gitops/tree/repro-dex-failure

      (Installing the pattern, by running `make install` on a fresh cluster)

      The dex pod in the multicloud-gitops-hub namespace will fail to come up:

      container has runAsNonRoot and image will run as root (pod: "hub-gitops-dex-server-68bfc4bf9-656k7_multicloud-gitops-hub(ea242591-5b38-4c8b-b4c5-d4dd04144ebf)", container: dex)

      The same manifests will apply without error on Gitops 1.5.

      The cluster-scoped installation dex pod in openshift-gitops comes up without error and works for Oauth with the default cluster-admin account.

       

      Cluster-scoped dex pod securityContext:

      ```

      securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
              - KILL
              - MKNOD
              - SETGID
              - SETUID
            runAsNonRoot: true
            runAsUser: 1000650000

      ```

      non-cluster-scoped securityContext:

      ```

      securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
              - MKNOD
            runAsNonRoot: true

      ```

            jrao@redhat.com Jaideep Rao
            martjack@redhat.com Martin Jackson
            Votes:
            3 Vote for this issue
            Watchers:
            13 Start watching this issue

              Created:
              Updated:
              Resolved: