nginxinc/nginx-ingress-helm-operator

Error creating: pods "nginxingress-sample-nginx-ingress-controller" is forbidden: unable to validate against any security context constraint

andresm53 opened this issue · 1 comments

andresm53 commented

Describe the bug
Environment: Openshift 4.12.14. I installed the Operator from "Operators Hub", and then applied the SCC, and then created an ingress controller as per https://github.com/nginxinc/nginx-ingress-helm-operator#getting-started. However, the ingress pods won't start and I see this error in the replicas log:

Error creating: pods "nginxingress-sample-nginx-ingress-controller-7d69d8bb5-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.capabilities.add: Invalid value: "NET_BIND_SERVICE": capability may not be added, spec.containers[0].securityContext.runAsUser: Invalid value: 101: must be in the ranges: [1001010000, 1001019999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "pcap-dedicated-admins": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "splunkforwarder": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

To Reproduce
Steps to reproduce the behavior:

  1. Deploy Nginx Ingress Operator from Openshift's Operators Hub.
  2. Apply SCC as per point number 3 in https://github.com/nginxinc/nginx-ingress-helm-operator#getting-started
  3. Create an ingress controller following this example https://github.com/nginxinc/nginx-ingress-helm-operator/blob/main/config/samples/charts_v1alpha1_nginxingress.yaml
  4. See error above in the replicas logs.

Expected behavior
Ingress contoller pods running sucessfully.

Your environment

  • Version of the NGINX Ingress Operator: 1.4.2
  • Version of the Ingress Controller: 1.4.2
  • Version of Kubernetes: Openshift 4.12.14
  • Kubernetes platform (e.g. Mini-kube or GCP)
  • Using NGINX or NGINX Plus: Nginx
andresm53 commented

I was able to fix the issue by adding this to the SCC:

allowedCapabilities:
  - NET_BIND_SERVICE

I also noticed that the image tag 3.1.0-ubi (for the ingress controller) doesn't start with these errors (even with the fixed SCC):

I0530 20:26:47.364242 1 flags.go:294] Starting with flags: ["-nginx-plus=false" "-nginx-reload-timeout=60000" "-enable-app-protect=false" "-enable-app-protect-dos=false" "-nginx-configmaps=nginx-ingress/nginxingress-sample-nginx-ingress" "-ingress-class=nginx" "-health-status=false" "-health-status-uri=/nginx-health" "-nginx-debug=false" "-v=1" "-nginx-status=true" "-nginx-status-port=8080" "-nginx-status-allow-cidrs=127.0.0.1" "-report-ingress-status" "-enable-leader-election=true" "-leader-election-lock-name=nginxingress-sample-nginx-ingress-leader-election" "-enable-prometheus-metrics=true" "-prometheus-metrics-listen-port=9113" "-prometheus-tls-secret=" "-enable-service-insight=false" "-service-insight-listen-port=9114" "-service-insight-tls-secret=" "-enable-custom-resources=true" "-enable-snippets=false" "-include-year=false" "-disable-ipv6=false" "-enable-tls-passthrough=false" "-enable-preview-policies=false" "-enable-cert-manager=false" "-enable-oidc=false" "-enable-external-dns=false" "-rea...
I0530 20:26:47.372889 1 main.go:234] Kubernetes version: 1.25.8
I0530 20:26:47.377367 1 main.go:380] Using nginx version: nginx/1.23.3
I0530 20:26:47.390377 1 main.go:776] Pod label updated: nginxingress-sample-nginx-ingress-controller-p9q4j
2023/05/30 20:26:47 [emerg] 14#14: bind() to 0.0.0.0:80 failed (13: Permission denied)

But the image tag 3.1.1-ubi works ok (but as I mentioned above, it requires NET_BIND_SERVICE in the SCC)