I have been running AWX Operator in my production kubernetes (k8s - non-OpenShift) cluster. I am using helm to deploy it. My helm chart is ver 2.11 and has been customized to pull from our private repo for images. I setup an override file with all my values and everything is working as expected.
Now, I have taken the same chart and override file and applied that to our OpenShift cluster in our development environment. This is where I am running into issues because OpenShift is enforcing security. My awx-web and awx-task pods fail to start up and I get the error message-
pods "awx-web-645b9f94f8-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{0}: 0 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 0: must be in the ranges: [1000770000, 1000779999], provider restricted-v2: .containers[1].runAsUser: Invalid value: 0: must be in the ranges: [1000770000, 1000779999], provider restricted-v2: .containers[2].runAsUser: Invalid value: 0: must be in the ranges: [1000770000, 1000779999]
pods "awx-task-6bdcd9d8d7-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{0}: 0 is not an allowed group, provider restricted v2: .initContainers[0].runAsUser: Invalid value: 0: must be in the ranges: [1000770000, 1000779999], provider restricted-v2: .containers[0].runAsUser: Invalid value: 0: must be in the ranges: [1000770000, 1000779999], provider restricted-v2: .containers[1].runAsUser: Invalid value: 0: must be in the ranges: [1000770000, 1000779999], provider restricted-v2: .containers[2].runAsUser: Invalid value: 0: must be in the ranges: [1000770000, 1000779999]
I found a post in github that references setting container security. It also provided an example.
Ok, so I tried setting security by adding the values to my override file. That seems to at least allow my pods to start up but then they go into a backoff state. When I review the logs I see -
EP_WARN: uid 1000770000 is missing from /etc/passwd, which is not writable; this error is likely fatal [dumb-init] /usr/bin/launch_awx_web.sh: No such file or directory
This is my override file I am applying:
Note the three lines that say ## added for dev environment. This is the only difference from my production override file.
AWX:
# enable use of awx-deploy template
enabled: true
name: awx
spec:
replicas: 1
service_type: NodePort
#nodeport_port: 30080
admin_user: admin
hostname: awx.gdev.org
image: gdev-podman1.gdev.org:8443/localadm/awx/awx-ee
image_version: 23.7.0
init_container_image: gdev-podman1.gdev.org:8443/localadm/awx/awx-ee
init_container_image_version: 23.7.0
ee_images:
- name: AWX EE
image: gdev-podman1.gdev.org:8443/localadm/awx/awx-ee:23.7.0
ee_extra_env: |
- name: RECEPTOR_KUBE_SUPPORT_RECONNECT
value: enabled
security_context_settings: ##added for dev environment
runAsUser: 1000770000 ##added for dev environment
runAsGroup: 1000770000 ##added for dev environment
postgres_image: gdev-podman1.gdev.org:8443/localadm/awx/postgres
postgres_image_version: "13"
postgres_selector: |
nodefor: psql
control_plane_ee_image: gdev-podman1.gdev.org:8443/localadm/awx/awx-ee:23.7. 0
redis_image: gdev-podman1.gdev.org:8443/localadm/awx/redis
redis_image_version: "7"
customVolumes:
postgres:
enabled: true
hostPath: /var/lib/postgresql
size: 8Gi
storageClassName: nfs-sc
projects:
enabled: true
hostPath: /opt/projects/data
size: 15Gi
How do I get my pods to run using security context?
I am at a loss here.