Comments (3)
@rawipfel Can you check if in your example the Vault Deployment example
has been created by the vault-operator. If yes then it's an issue with the restricted
SCC rejecting the Vault Deployment pods.
Currently the vault-operator configures Vault containers with the IPC_LOCK
capability.
https://github.com/coreos/vault-operator/blob/master/pkg/util/k8sutil/vault.go#L167-L173
The restricted
SCC does not allow pods with this capability. If you check the Deployment status for the example
Vault deployment you should be able to see the pods being rejected.
Can you try updating the restricted
SCC to grant it the IPC_LOCK
capability and then try again:
kind: SecurityContextConstraints
apiVersion: v1
metadata:
name: restricted
...
allowedCapabilities:
- IPC_LOCK
...
However this is just a work around since changing the restricted
SCC is not a good idea.
A more proper solution to this issue is to either:
a) Remove the need for IPC_LOCK #311 but that needs more thought.
b) Be able to configure service accounts for the vault pods via the the VaultService CR's spec.PodPolicy
so that they can use a dedicated service account and SCC that allows the IPC_LOCK
capability.
from vault-operator.
Thanks @hasbro17 that was the problem, the Vault Deployment example
wasn't working:
Roberts-MacBook-Pro:Desktop rwipfel$ kubectl get pod
NAME READY STATUS RESTARTS AGE
etcd-operator-7bf6b58cdf-rs9vf 3/3 Running 0 12m
example-etcd-2cvxzp5hzk 1/1 Running 0 11m
example-etcd-89smzphhnl 1/1 Running 0 11m
example-etcd-w8v4mdjcxh 1/1 Running 0 12m
vault-operator-67d5846657-82bwp 1/1 Running 0 12m
Roberts-MacBook-Pro:Desktop rwipfel$ kubectl get deploy
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
etcd-operator 1 1 1 1 12m
example 2 0 0 0 11m
vault-operator 1 1 1 1 12m
This is my entire startup script, is now working, after allowing IPC_LOCK:
Roberts-MacBook-Pro:Desktop rwipfel$ cat runVault.sh
set -x
oc login -u system:admin
oc patch scc restricted -p '{"fsGroup":{"type":"RunAsAny"}}'
oc patch scc restricted -p '{"runAsUser":{"type":"RunAsAny"}}'
oc patch scc restricted -p '{"allowedCapabilities":["IPC_LOCK"]}'
cd ~/git/etcd-operator/
example/rbac/create_role.sh --namespace=myproject
cd ~/git/vault-operator/
sed -e 's/<namespace>/myproject/g' \
-e 's/<service-account>/default/g' \
example/rbac-template.yaml > example/rbac.yaml
kubectl create -f example/rbac.yaml
kubectl create -f example/etcd_crds.yaml
kubectl create -f example/etcd-operator-deploy.yaml
kubectl create -f example/vault_crd.yaml
kubectl create -f example/deployment.yaml
sleep 5 && kubectl get deploy
kubectl create -f example/example_vault.yaml
sleep 5 && kubectl get pods
Many thanks, It's working now :)
Roberts-MacBook-Pro:Desktop rwipfel$ kubectl get pods
NAME READY STATUS RESTARTS AGE
etcd-operator-7bf6b58cdf-xf6xp 3/3 Running 0 2m
example-5f68dbcdf4-29jqf 1/2 Running 0 55s
example-5f68dbcdf4-l9glp 1/2 Running 0 55s
example-etcd-2vcphl4hkr 1/1 Running 0 1m
example-etcd-7wn782cn29 1/1 Running 0 1m
example-etcd-cb8kqnjrpz 1/1 Running 0 1m
vault-operator-67d5846657-mhq6q 1/1 Running 0 1m
I guess #311 is a question of demo/dev/eval vs. production deployment. It seems reasonable to document the workaround for demo/dev/eval, but require IPC_LOCK by default for secure production deployments. Agree that changing the restricted
SCC isn't a good idea, and maybe there will be other reasons for configurable service accounts in future...
from vault-operator.
Hi @hasbro17, I will submit a PR to update the README with a description of the above workaround, if that's an acceptable way to resolve this, please lmk...
from vault-operator.
Related Issues (20)
- Performance issues with vaults instances in standby
- Persistent Volume Claims option? HOT 2
- etcd-operator deploy fails: is forbidden: User "system:serviceaccount:default:default" cannot get pods in the namespace "default" HOT 1
- Ingress to access Vault HOT 1
- vault-operator erroneously "updates" (kills) active node if it can't be reached/is unhealthy
- Recommended way to monitor sealed/unsealed status? HOT 2
- etcd-operator fails with "a container name must be specified for pod etcd-operator-764f7ff957-w7shx, choose one of: [etcd-operator etcd-backup-operator etcd-restore-operator]" HOT 1
- Can someone show an example of how to use curl/HTTP API?
- no-op after creation of the CRD on openshift 3.10
- Namespace vault-operator error HOT 2
- etcd Cluster fails to start HOT 1
- Support Vault 0.11 and greater HOT 4
- Allow nodeSelector and tolerations to be specified for vault pods
- vaultservices.vault.security.coreos.com Image HOT 1
- support dev server mode vaults
- Unable to Log in to the Kubernetes auth backend using the service account token HOT 3
- Unable to configure the custom repository for operator to pull images ( busybox, etcd, vault, statsd-exporter )
- Error initializing storage of type etcd: failed to get etcd API version: client: etcd cluster is unavailable or misconfigured; error #0: dial tcp 10.101.6.170:2379: getsockopt: connection refused HOT 5
- deploying vault using vault-operator HOT 3
- Operator projects using the removed APIs in k8s 1.22 requires changes. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-operator.