This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OpenShift Dynatrace operator 1.5.1: app-mon pod fail to start for runAsUser 1001 not allowed

gilles_tabary
Mentor

‎05 May 2025 01:24 PM - edited ‎06 May 2025 11:04 AM

Hi all.

We are on Managed.

We are testing app-monitoring in OpenShift with Dynatrace OpenShift operator 1.5.1 : https://docs.dynatrace.com/docs/whats-new/dynatrace-operator/dto-fix-1-5-1 (the requirements are satisfied: Cluster v1.312.51 + AG v1.311 + OA  v1.311.72).

When a deployment try to start replicat we get this error : runAsUser 1001 not allowed, must be in the range [1001060000, 1001069999].

30s Warning FailedCreate replicaset/x0m-56854c4ffd Error creating: pods "x0m-56854c4ffd-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "trident-controller": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .initContainers[1].runAsUser: Invalid value: 1001: must be in the ranges: [1001060000, 1001069999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "logging-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "trident-node-linux": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

AFAIU Dynatrace Operator should not try to assign a User ID for it's OneAgent agent / code module, because OpenShift handles automatically the assignment. OpenShift doc @ security-context-constraints-example.

Any feed back from someone on that ?

Regards.

0 Kudos
Reply
3 REPLIES 3

yanezza
Dynatrace Pro
Dynatrace Pro

‎07 May 2025 09:05 PM

Hi,
this should be investigated in a support ticket. Attach also support archive and information regarding the Openshift version.

Yanez Diego Parolin
0 Kudos
Reply

gilles_tabary
Mentor

‎08 May 2025 08:25 AM

Could it be that setting a runAsUser value at https://github.com/Dynatrace/dynatrace-operator/blob/main/pkg/webhook/mutation/pod/v2/init.go#L75 is interfering with default OpenShift automatic uid assigment ? Doc 15.2. About pre-allocated security context constraints values.

(Yes we have a ticket open :-))

0 Kudos
Reply

shahinm
Dynatrace Helper
Dynatrace Helper

‎19 May 2025 09:19 AM

Hi there,

This is a known issue, and a fix is in progress.

While we are working on a fix, apply one of the following changes to work around the problem:

  • add spec.securityContext.RunAsUser(Group) on the POD level valid ID value can be found in the app namespace’s annotations
kind: Namespace
metadata:
  annotations:
    openshift.io/sa.scc.supplemental-groups: 1000660000/10000
    openshift.io/sa.scc.uid-range: 1000660000/10000
  • add nonroot-v2 SCC to the ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: <name>
  namespace: <app namespace>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:openshift:scc:nonroot-v2
subjects:
- kind: ServiceAccount
  name: <app ServiceAccount>
  namespace: <app namespace>

 Regards

Reply
Ask a question

Featured Posts