Home > database >  How do I create a POD compatible in both openshift and Kubernetes clusters
How do I create a POD compatible in both openshift and Kubernetes clusters

Time:10-18

I have two clusters. Kubernetes 1.25 and Openshift 4.11

apiVersion: apps/v1
kind: Deployment
metadata:
  name: testcustom
  #namespace: ics-e2e-pods-456
  namespace: ics-e2e-deploy-7887
  labels:
    app: testcustom
spec:
  replicas: 1
  selector:
    matchLabels:
      app: testcustom
  template:
    metadata:
      labels:
        app: testcustom
    spec:
      containers:
      - image: busybox #image name which should be avilable within cluster
        name: container-name # name of the container inside POD
        volumeMounts:
        - mountPath: /myvolumepath  # mount path for pvc from container
          name: pvc-name # pvc name for this pod
        securityContext:
          fsGroup: 1000
          seccompProfile:
            type: RuntimeDefault
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          runAsUser: 1000
          capabilities:
            drop: ["ALL"]
      volumes:
      - name: pvc-name  # volume resource name in this POD, user can choose any name as per kubernetes
        persistentVolumeClaim:
          claimName: csi-block-pvc-custom-one  # pvc name which was created by using claim.yaml file

When I try to deploy this pod, it fails in either of the above cluster throwing errors related to security context. If I fix issue for one cluster, the same spec doesn't work in other cluster. I am wondering how to get a common deployment file which can be used in both clusters

Error

Error creating: pods "testcustom-589767ccd5-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [1000640000, 1000649999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": : Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

CodePudding user response:

In openshift when namespace/project is created please ensure below ranges specified properly. the values should be mapped to security context specified in yaml definition for fsgroup and runAsUser. More details are in openshift documentation. the same pod definition will work in k8s and openshift.

openshift.io/sa.scc.uid-range
openshift.io/sa.scc.supplemental-groups

Page link:https//www.codepudding.com/database/579748.html

Prev:See git diff from previous commit in a PR
Next:Client certificate validation with custom store not working
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding