Details
-
Bug
-
Resolution: Done
-
Major
-
None
-
None
-
None
-
3
-
False
-
None
-
False
-
GITOPS Sprint 3248, GITOPS Sprint 3250, GITOPS Sprint 3251, GITOPS Sprint 3252, GITOPS Sprint 3253, GITOPS Sprint 3254, GitOps Crimson - Sprint 3255
Description
Description of problem:
When deploying an instance of Argo CD into a namespace in 4.14, the redis pod fails to start as it is forbidden. Adding the anyuid SCC to the redis and redis-ha service accounts gets things going again.
Prerequisites (if any, like setup, operators/versions):
Steps to Reproduce
Deploy a namespace scoped instance into a new namespace, if you check the redis deployment you will see no pods are created and the Deployment is showing the following in it's status field:
- type: ReplicaFailure
status: 'True'
lastUpdateTime: '2023-11-14T17:53:40Z'
lastTransitionTime: '2023-11-14T17:53:40Z'
reason: FailedCreate
message: >-
pods "argocd-redis-75db4ffcc5-" is forbidden: unable to validate against
any security context constraint: [provider "anyuid": Forbidden: not
usable by user or serviceaccount, provider "pipelines-scc": Forbidden:
not usable by user or serviceaccount, provider restricted-v2:
.containers[0].runAsUser: Invalid value: 999: must be in the ranges:
[1001060000, 1001069999], provider "restricted": Forbidden: not usable
by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable
by user or serviceaccount, provider "nonroot": Forbidden: not usable by
user or serviceaccount, provider "hostmount-anyuid": Forbidden: not
usable by user or serviceaccount, provider
"machine-api-termination-handler": Forbidden: not usable by user or
serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user
or serviceaccount, provider "hostnetwork": Forbidden: not usable by user
or serviceaccount, provider "hostaccess": Forbidden: not usable by user
or serviceaccount, provider "lvms-vgmanager": Forbidden: not usable by
user or serviceaccount, provider "lvms-topolvm-node": Forbidden: not
usable by user or serviceaccount, provider "rook-ceph": Forbidden: not
usable by user or serviceaccount, provider "node-exporter": Forbidden:
not usable by user or serviceaccount, provider "rook-ceph-csi":
Forbidden: not usable by user or serviceaccount, provider "privileged":
Forbidden: not usable by user or serviceaccount]
Actual results:
See above
Expected results:
Redis pod starts
Reproducibility (Always/Intermittent/Only Once):
Acceptance criteria:
Redis pod starts
Definition of Done:
Build Details:
Additional info (Such as Logs, Screenshots, etc):