cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OpenShift Dynakube operator cloud-native full-stack: init container ko: runAsNonRoot: Invalid value: false: must be true

gilles_tabary
Mentor

Hello.

On an OpenShift cluster v4.18.13 (K8S v1.31.8)
+ Certified Dynatrace Operator Dynakube 1.6.1 / cloud-native full-stack
+ Managed 1.320.66 + AG 1.319.21 + OA 1.319.55

we are trying to instanciate <docker.registry>/opensearchproject/opensearch-dashboards:2.17.1 .

It fails to start with runAsUser & runAsNonRoot issues like "runAsNonRoot: Invalid value: false: must be true" :

message: 'pods "hgw-opensearch-dashboards-68f76b89d7-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "trident-controller": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1001100000, 1001109999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider nonroot-v2: .initContainers[0].runAsNonRoot: Invalid value: false: must be true, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "logging-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "trident-node-linux": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "xdr-agent-scc-cortex-xdr": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]' 

We are concerned this may hapen with other applications. 

  • hack : deactivate pod dynatrace full-stack app monitoring injection, then it starts
  • works fine with scc restricted-v2
  • KO with scc nonroot-v2 because of runAsNonRoot value is "false" 

Any one reproduced this ? Any fix ?

Regards.

5 REPLIES 5

PacoPorro
Dynatrace Leader
Dynatrace Leader

Can you provide the output from 

oc get scc dynatrace-webhook


Looks to me the opensearch dashboards have their own SCC. 
Please check https://docs.dynatrace.com/docs/shortlink/openshift-configuration#code-module-injection-for-applicat...

FYI

  • works fine with scc restricted-v2
  • KO with scc nonroot-v2 because of runAsNonRoot value is "false" 

Is what you are after : 

oc get deployment hgw-opensearch-dashboards -o yaml | grep scc:
    openshift.io/scc: nonroot-v2

oc get pod/dynatrace-webhook-1111857d9c-11111 -o yaml | grep scc:
    openshift.io/scc: nonroot-v2

Checking your link thanks.

Thanks for input.

https://docs.dynatrace.com/docs/shortlink/installation-openshift-operatorhub#limitations says : from OperatorHub (our option) : Application observability cannot be installed with CSI driver.

Also , I fail to see why csi in involved in the question.

Featured Posts