Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-2235

OCP < 4.11: Dex pod in less privileged namespace fails to come up, citing containerconfigerror

XMLWordPrintable

    • 5
    • False
    • None
    • False
    • Previous GitOps releases were affected by an issue with dex pods failing with CreateContainerConfigError when a SCC of 'anyuid' is assigned to the dex serviceAccount. This issue is fixed by assigning a default user id to the dex container.
    • GITOPS Sprint 223, GITOPS Sprint 224

      Reliably (3 times now), using the following repo and branch:

      https://github.com/mhjacks/multicloud-gitops/tree/repro-dex-failure

      (Installing the pattern, by running `make install` on a fresh cluster)

      The dex pod in the multicloud-gitops-hub namespace will fail to come up:

      container has runAsNonRoot and image will run as root (pod: "hub-gitops-dex-server-68bfc4bf9-656k7_multicloud-gitops-hub(ea242591-5b38-4c8b-b4c5-d4dd04144ebf)", container: dex)

      The same manifests will apply without error on Gitops 1.5.

      The cluster-scoped installation dex pod in openshift-gitops comes up without error and works for Oauth with the default cluster-admin account.

       

      Cluster-scoped dex pod securityContext:

      ```

      securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
              - KILL
              - MKNOD
              - SETGID
              - SETUID
            runAsNonRoot: true
            runAsUser: 1000650000

      ```

      non-cluster-scoped securityContext:

      ```

      securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
              - MKNOD
            runAsNonRoot: true

      ```

            [GITOPS-2235] OCP < 4.11: Dex pod in less privileged namespace fails to come up, citing containerconfigerror

            GitLab CEE Bot added a comment -

            rjeczkow mentioned this issue in a merge request of gitops / operator-e2e on branch cherry-pick-610cd13e-3:

            GITOPS-2235 Dex pod in less privileged namespace fails to come up

            GitLab CEE Bot added a comment - rjeczkow mentioned this issue in a merge request of gitops / operator-e2e on branch cherry-pick-610cd13e-3 : GITOPS-2235 Dex pod in less privileged namespace fails to come up

            William Tam added a comment -

            This bug affect 1.4 as well. We do need to back port to 1.4.

            William Tam added a comment - This bug affect 1.4 as well. We do need to back port to 1.4.

            GitLab CEE Bot added a comment -

            rjeczkow mentioned this issue in a merge request of gitops / operator-e2e on branch cherry-pick-610cd13e-3:

            GITOPS-2235 Dex pod in less privileged namespace fails to come up

            GitLab CEE Bot added a comment - rjeczkow mentioned this issue in a merge request of gitops / operator-e2e on branch cherry-pick-610cd13e-3 : GITOPS-2235 Dex pod in less privileged namespace fails to come up

            GitLab CEE Bot added a comment -

            rjeczkow mentioned this issue in a merge request of gitops / operator-e2e on branch cherry-pick-610cd13e-2:

            GITOPS-2235 Dex pod in less privileged namespace fails to come up

            GitLab CEE Bot added a comment - rjeczkow mentioned this issue in a merge request of gitops / operator-e2e on branch cherry-pick-610cd13e-2 : GITOPS-2235 Dex pod in less privileged namespace fails to come up

            GitLab CEE Bot added a comment -

            rjeczkow mentioned this issue in a merge request of gitops / operator-e2e on branch cherry-pick-610cd13e:

            GITOPS-2235 Dex pod in less privileged namespace fails to come up

            GitLab CEE Bot added a comment - rjeczkow mentioned this issue in a merge request of gitops / operator-e2e on branch cherry-pick-610cd13e : GITOPS-2235 Dex pod in less privileged namespace fails to come up

            GitLab CEE Bot added a comment -

            rjeczkow mentioned this issue in a merge request of gitops / operator-e2e on branch cherry_pick_dex:

            GITOPS-2235 Dex pod in less privileged namespace fails to come up

            GitLab CEE Bot added a comment - rjeczkow mentioned this issue in a merge request of gitops / operator-e2e on branch cherry_pick_dex : GITOPS-2235 Dex pod in less privileged namespace fails to come up

            Roman Jeczkowiak (Inactive) added a comment -

            wtam_at_redhat  Since this bug was affecting only gitops >= 1.5.5 I guedd the '1.4.12' fix version is not needed here

            Roman Jeczkowiak (Inactive) added a comment - wtam_at_redhat   Since this bug was affecting only gitops >= 1.5.5 I guedd the '1.4.12' fix version is not needed here

            GitLab CEE Bot added a comment -

            rjeczkow mentioned this issue in a merge request of gitops / operator-e2e on branch validate_dex:

            GITOPS-2235 Dex pod in less privileged namespace fails to come up

            GitLab CEE Bot added a comment - rjeczkow mentioned this issue in a merge request of gitops / operator-e2e on branch validate_dex : GITOPS-2235 Dex pod in less privileged namespace fails to come up

            Jaideep Rao added a comment - - edited

            rjeczkow 
            I was able to verify the fix by doing the following:
            on a 1.6.0 operator installation:

            • install operator
            • create a namespace scoped argo-cd instance with dex enabled and make sure it comes up
            • `run oc adm policy add-scc-to-user anyuid -z argocd-argocd-dex-server -n test` to grant the dex service account an anyuid SCC
            • delete the dex pod and wait for it to come back
            • dex pod fails with `CreateContainerConfigError`

            on installing 1.6.1 operator build containing fix, and performing the same steps the dex pod was able to come up despite the anyuid SCC being assigned to the serviceaccount

            Jaideep Rao added a comment - - edited rjeczkow   I was able to verify the fix by doing the following: on a 1.6.0 operator installation: install operator create a namespace scoped argo-cd instance with dex enabled and make sure it comes up `run oc adm policy add-scc-to-user anyuid -z argocd-argocd-dex-server -n test`  to grant the dex service account an anyuid SCC delete the dex pod and wait for it to come back dex pod fails with ` CreateContainerConfigError` on installing 1.6.1 operator build containing fix, and performing the same steps the dex pod was able to come up despite the anyuid SCC being assigned to the serviceaccount

            Roman Jeczkowiak (Inactive) added a comment -

            jrao@redhat.com hey, we'd like to add an e2e test case for this bug fix. What would be the steps to reproduce the issue ?

            Thanks

            Roman Jeczkowiak (Inactive) added a comment - jrao@redhat.com hey, we'd like to add an e2e test case for this bug fix. What would be the steps to reproduce the issue ? Thanks

              jrao@redhat.com Jaideep Rao
              martjack@redhat.com Martin Jackson
              Votes:
              3 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                Resolved: