Code Monkey home page Code Monkey logo

Comments (3)

hasbro17 avatar hasbro17 commented on June 14, 2024

@rawipfel Can you check if in your example the Vault Deployment example has been created by the vault-operator. If yes then it's an issue with the restricted SCC rejecting the Vault Deployment pods.

Currently the vault-operator configures Vault containers with the IPC_LOCK capability.
https://github.com/coreos/vault-operator/blob/master/pkg/util/k8sutil/vault.go#L167-L173

The restricted SCC does not allow pods with this capability. If you check the Deployment status for the example Vault deployment you should be able to see the pods being rejected.

Can you try updating the restricted SCC to grant it the IPC_LOCK capability and then try again:

kind: SecurityContextConstraints
apiVersion: v1
metadata:
  name: restricted
  ...
allowedCapabilities:
- IPC_LOCK
...

However this is just a work around since changing the restricted SCC is not a good idea.

A more proper solution to this issue is to either:
a) Remove the need for IPC_LOCK #311 but that needs more thought.
b) Be able to configure service accounts for the vault pods via the the VaultService CR's spec.PodPolicy so that they can use a dedicated service account and SCC that allows the IPC_LOCK capability.

from vault-operator.

rawipfel avatar rawipfel commented on June 14, 2024

Thanks @hasbro17 that was the problem, the Vault Deployment example wasn't working:

Roberts-MacBook-Pro:Desktop rwipfel$ kubectl get pod
NAME                              READY     STATUS    RESTARTS   AGE
etcd-operator-7bf6b58cdf-rs9vf    3/3       Running   0          12m
example-etcd-2cvxzp5hzk           1/1       Running   0          11m
example-etcd-89smzphhnl           1/1       Running   0          11m
example-etcd-w8v4mdjcxh           1/1       Running   0          12m
vault-operator-67d5846657-82bwp   1/1       Running   0          12m
Roberts-MacBook-Pro:Desktop rwipfel$ kubectl get deploy
NAME             DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
etcd-operator    1         1         1            1           12m
example          2         0         0            0           11m
vault-operator   1         1         1            1           12m

This is my entire startup script, is now working, after allowing IPC_LOCK:

Roberts-MacBook-Pro:Desktop rwipfel$ cat runVault.sh
set -x
oc login -u system:admin
oc patch scc restricted -p '{"fsGroup":{"type":"RunAsAny"}}'
oc patch scc restricted -p '{"runAsUser":{"type":"RunAsAny"}}'
oc patch scc restricted -p '{"allowedCapabilities":["IPC_LOCK"]}'
cd ~/git/etcd-operator/
example/rbac/create_role.sh --namespace=myproject
cd ~/git/vault-operator/
sed -e 's/<namespace>/myproject/g' \
    -e 's/<service-account>/default/g' \
    example/rbac-template.yaml > example/rbac.yaml
kubectl create -f example/rbac.yaml
kubectl create -f example/etcd_crds.yaml
kubectl create -f example/etcd-operator-deploy.yaml
kubectl create -f example/vault_crd.yaml
kubectl create -f example/deployment.yaml
sleep 5 && kubectl get deploy
kubectl create -f example/example_vault.yaml
sleep 5 && kubectl get pods

Many thanks, It's working now :)

Roberts-MacBook-Pro:Desktop rwipfel$ kubectl get pods
NAME                              READY     STATUS    RESTARTS   AGE
etcd-operator-7bf6b58cdf-xf6xp    3/3       Running   0          2m
example-5f68dbcdf4-29jqf          1/2       Running   0          55s
example-5f68dbcdf4-l9glp          1/2       Running   0          55s
example-etcd-2vcphl4hkr           1/1       Running   0          1m
example-etcd-7wn782cn29           1/1       Running   0          1m
example-etcd-cb8kqnjrpz           1/1       Running   0          1m
vault-operator-67d5846657-mhq6q   1/1       Running   0          1m

I guess #311 is a question of demo/dev/eval vs. production deployment. It seems reasonable to document the workaround for demo/dev/eval, but require IPC_LOCK by default for secure production deployments. Agree that changing the restricted SCC isn't a good idea, and maybe there will be other reasons for configurable service accounts in future...

from vault-operator.

rawipfel avatar rawipfel commented on June 14, 2024

Hi @hasbro17, I will submit a PR to update the README with a description of the above workaround, if that's an acceptable way to resolve this, please lmk...

from vault-operator.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.