OpenShift fsGroup Issue with SCC restricted-v2 (Helm Chart Installation)

MUC · October 24, 2024, 3:22pm

Hi all,

we have an issue concerning the restricted-v2 fsGroup assignment in OpenShift. Following error message is displayed when Installing Camunda on OpenShift with Helm Chart Version 8.1.6 (following Running Camunda 8 on OpenShift | Camunda:

create Pod elasticsearch-master-0 in StatefulSet elasticsearch-master failed error: pods "elasticsearch-master-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1001120000, 1001129999], provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1001120000, 1001129999], provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "pcap-dedicated-admins": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "elasticsearch-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "nginx-ingress-admin": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "splunkforwarder": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

Concerning the Documentation for Camunda on Openshift with the setting “compatibility.openshift.adaptSecurityContext: force”, setting fsGroup to null should make OpenShift assign correct fsGroup with default SCC of restricted-v2 ( [Red Hat OpenShift | Camunda 8 Docs](Red Hat OpenShift | Camunda 8 Docs and helm-charts/elasticsearch/examples/openshift/values.yaml at 7.10 · elastic/helm-charts · GitHub

we minimized the Helm Chart Installation to the pure elasticsearch installation to isolate the issue:

# Global configuration for variables which can be accessed by all sub charts
global:
  annotations: {}
  labels:
    app: camunda-platform
  compatibility:
    openshift:
      adaptSecurityContext: force

tasklist:
  enabled: false

operate:
  enabled: false

optimize:
  enabled: false

identity:
  enabled: false

zeebe:
  enabled: false

zeebe-gateway:
  enabled: false

elasticsearch:

  podSecurityContext:
    runAsUser: null
    fsGroup: null  # <----------------------- This is causing the exception


  replicas: 1
  volumeClaimTemplate:
    accessModes: ["ReadWriteOnce"]
    resources:
      requests:
        storage: 1Gi
  sysctlInitContainer:
    enabled: false
  image: "elasticsearch"
  imageTag: 7.17.10

  securityContext: 
    runAsUser: null
    fsGroup: null

can you please help?

cpbpm · October 24, 2024, 8:57pm

What’s your Openshift version?

MUC · October 25, 2024, 5:57am

Hi cpbpm, Cluster version is 4.16.12

MUC · October 25, 2024, 1:37pm

Maybe anyone has experience with an openshift installation of camunda 8 using a higher helm chart version than 8.1.6 with default openshift restrictive-v2 SCC? Does that work?

cpbpm · October 25, 2024, 3:25pm

I will test your configuration and keep you posted the status.

MUC · October 25, 2024, 3:47pm

@cpbpm thanks a lot!

cpbpm · October 26, 2024, 12:38am

Going through the configuration. If you would like to get started, I would recommend to start with latest version.

Camunda Helm chart 8.1.6 is too old, The documentation you are following was initially written by @BerndRuecker to demonstrate Openshift capabilities.

You are trying out Openshift 4.16.2 which is very recent version. you don’t need to specify the security context as you are already defined in the global context.

Refer the link:

By default you mentioned as force, SCC will be null for all the components. you did not declare it again.

With restrictive SCCs

By default, OpenShift employs more restrictive SCCs. The Helm chart must assign null to the user running all components and dependencies. The global.compatibility.openshift.adaptSecurityContext variable in your values.yaml can be used to set the following possible values:

force: The runAsUser and fsGroup values will be null in all components.
disabled: The runAsUser and fsGroup values will not be modified (default).

MUC · October 27, 2024, 9:00am

thanks @cpbpm, anyone else experiences with Camunda on Openshift with restricted-v2 SCC?

OpenShift fsGroup Issue with SCC restricted-v2 (Helm Chart Installation)

With restrictive SCCs​

With restrictive SCCs