21 Aug 2025 10:38 AM - edited 21 Aug 2025 10:49 AM
Hello.
On an OpenShift cluster v4.18.13 (K8S v1.31.8)
+ Certified Dynatrace Operator Dynakube 1.6.1 / cloud-native full-stack
+ Managed 1.320.66 + AG 1.319.21 + OA 1.319.55
we are trying to instanciate <docker.registry>/opensearchproject/opensearch-dashboards:2.17.1 .
It fails to start with runAsUser & runAsNonRoot issues like "runAsNonRoot: Invalid value: false: must be true" :
message: 'pods "hgw-opensearch-dashboards-68f76b89d7-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "trident-controller": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1001100000, 1001109999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider nonroot-v2: .initContainers[0].runAsNonRoot: Invalid value: false: must be true, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "logging-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "trident-node-linux": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "xdr-agent-scc-cortex-xdr": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]'
We are concerned this may hapen with other applications.
Any one reproduced this ? Any fix ?
Regards.
21 Aug 2025 10:44 AM - edited 21 Aug 2025 10:47 AM
Can you provide the output from
21 Aug 2025 10:53 AM
FYI
21 Aug 2025 11:50 AM
Is what you are after :
oc get deployment hgw-opensearch-dashboards -o yaml | grep scc:
openshift.io/scc: nonroot-v2
oc get pod/dynatrace-webhook-1111857d9c-11111 -o yaml | grep scc:
openshift.io/scc: nonroot-v2
Checking your link thanks.
21 Aug 2025 01:09 PM
Application uses custom SCC
The utilized SCC must include csi volume as described in Configure custom SCC for application monitoring.
21 Aug 2025 01:43 PM
Thanks for input.
https://docs.dynatrace.com/docs/shortlink/installation-openshift-operatorhub#limitations says : from OperatorHub (our option) : Application observability cannot be installed with CSI driver.
Also , I fail to see why csi in involved in the question.