RedHat-EMEA-SSA-Team/hetzner-ocp4

Additional NFS Storage Class on my Hetzner Server - PodSecurity

Closed this issue · 2 comments

tux1980 commented

Hi,

I need a second storage class on my Hetzner. I did set up an additional NFS export ect.... Accordingly to this article:
https://two-oes.medium.com/working-with-nfs-as-a-storageclass-in-openshift-4-44367576771c

I remember before OCP 4.8 or 4.9 this was working without putting in additional work.

After creating my storage class I get errors when setting up my nfs-client-provisioner.
oc create -f deploy/deployment.yaml
Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nfs-client-provisioner" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nfs-client-provisioner" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "nfs-client-root" uses restricted volume type "nfs"), runAsNonRoot != true (pod or container "nfs-client-provisioner" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nfs-client-provisioner" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
`

The pods are running, but when setting a PVC e.g. it runs into a timeout... Before reading all the docus on the PodSecurity stuff, maybe any brief hint what I might do? It is allowed to be quick and dirty:)

Creating an PVC, the PVC will be in a pending state forever with this message:
13s Normal ExternalProvisioning persistentvolumeclaim/test02 Waiting for a volume to be created either by the external provisioner 'storage.io/nfs' or manually by the system administrator. If volume creation is delayed, please verify that the provisioner is running and correctly registered.
Thanks
deployment.txt
class.txt

tux1980 commented

Hi, nobody any clue? Maybe @rbo

tux1980 commented

In the storage class created above - change the parameters! Otherwise you cannot create any PVC due to the empty strings.

parameters:
pathPattern: "${.PVC.namespace}/${.PVC.annotations.nfs.io/storage-path}" # waits for nfs.io/storage-path annotation, if not specified will accept as empty string.
onDelete: delete