Bug 1667676

Summary: Unable to deploy application in Openshift
Product: OpenShift Container Platform Reporter: Sudarshan Chaudhari <suchaudh>
Component: apiserver-authAssignee: Standa Laznicka <slaznick>
Status: CLOSED WORKSFORME QA Contact: Chuan Yu <chuyu>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.1.0CC: aos-bugs, erich, evb, jokerman, mfojtik, mjahangi, mmccomas, rkshirsa, slaznick, suchaudh, tnozicka, yinzhou
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-29 13:58:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1664187    
Attachments:
Description Flags
yaml and logs from controller-manager none

Description Sudarshan Chaudhari 2019-01-19 17:40:28 UTC 
Description of problem:

Event:
~~~
9m          9m           1         app-test.157b4f94f761135f           DeploymentConfig                                            Warning   FailedRetry         deployer-controller                                   Stop retrying: couldn't create deployer pod for "test3/app-test-1": pods "app-test-1-deploy" is forbidden: unable to validate against any security context constraint: []
3m          12m          25        app-test.157b4f6ea60ef2d7           DeploymentConfig                                            Warning   FailedCreate        deployer-controller                                   Error creating deployer pod: pods "app-test-1-deploy" is forbidden: unable to validate against any security context constraint: []
1m          1m           1         app-test.157b5001592b0c17           DeploymentConfig                                            Warning   RolloutTimeout      deployer-controller                                   Rollout for "test3/app-test-1" failed to create deployer pod (timeoutSeconds: 600s)
~~~


Version-Release number of selected component (if applicable):

# oc version
oc v4.0.0-0.125.0
kubernetes v1.11.0+406fc897d8
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://ocp4.example.com:6443
kubernetes v1.11.0+c69f926354


How reproducible:

Everytime trying to deploy php app

Steps to Reproduce:
1. Create a project using the command:

# oc new-app --name=app-test php~https://github.com/sudarshan-uc/ab-deploy.git


Actual results:
The deployer pod is not getting created

Expected results:

The deployment should have been completed

Additional info:

Adding the complete events and scc yaml.

Also tried to deploy other app such as Python, Ruby, php
Comment 1 Tomáš Nožička 2019-01-21 09:49:33 UTC 
please follow this doc to gather the required information https://docs.google.com/document/d/13YIo4z8r2U5h03cwJVADALHN_dYT0Odp7rgvnUo3TdE/edit?usp=sharing
Comment 2 zhou ying 2019-01-23 05:56:57 UTC 
Created attachment 1522573 [details]
yaml and logs from controller-manager
Comment 3 zhou ying 2019-01-23 06:02:33 UTC 
I can reproduce the issue with my env run after one day: 
Cluster version is 4.0.0-0.nightly-2019-01-18-115403

Even I run command `oc create -f https://raw.githubusercontent.com/openshift/origin/master/examples/hello-openshift/hello-pod.json` will met error: Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/openshift/origin/master/examples/hello-openshift/hello-pod.json": pods "hello-openshift" is forbidden: unable to validate against any security context constraint: []
Comment 5 Sudarshan Chaudhari 2019-01-23 06:10:01 UTC 
Created attachment 1522578 [details]
Complete scc from cluster
Comment 6 Rutvik 2019-01-29 08:19:18 UTC 
Hello Team,

I have also seen a similar issue(events) when I tried to deploy Quay deployment which requires "anyuid" scc to deploy the pods on openshift cluster. It always prompt that, scc has been attached to x:y:z system:service account, but it is not reflecting into the deployment.

As of now, I have seen this issue on 0.10.0 installer, if required I can try to reproduce and provide events from the latest release ie. 0.11.0.
Comment 7 Muhammad Selim Jahangir 2019-02-01 01:37:55 UTC 
Hi
I have got the same errors even deploying from web console too. I tried both httpd and nginx and both failed with error messages

~~~
Error creating: pods "pod-name" is forbidden: unable to validate against any security context constraint
~~~

The resolution was , I have modified the restricted scc and set securityContext and fsGroup to RunAsAny from MustRUnAs. Then it was successful. 

Noticed that build was completed but not the deployment.
Comment 8 Standa Laznicka 2019-03-26 11:00:40 UTC 
Rutvik, Sudarshan, your applications most probably require more privileges than what the serviceaccounts running the pods have, did you create the appropriate roles and rolebindings to the SCC so that you are able to use them?

Especially https://bugzilla.redhat.com/show_bug.cgi?id=1667676#c7 shows that the pod needs more privileges than what the SCCs the service account running the pod is able to obtain.
Comment 9 Sudarshan Chaudhari 2019-03-26 16:57:21 UTC 
Hello Stanislav,

No, I did not create any additional rolebindings or role as we did not do till OCP 3.11.
As a part of testing, I simply tried to deploy the application using php template and the git repo. 

From your statement it seems that we should create/provide permissions to the app so that pods can run, but I am not sure if doing that would help everytime or for that matter changing the default scc. 

Yes, removing the restrictions should work, but what I think is the pods should have ran properly with restricted scc.

If you think that there will be some modifications done to scc or update in the template, let me know so that I can make changes and try it myself. 

Also let me know if there is any additions git issue active for this issue. 

Thanks for your response. 

Regards.
Comment 10 Standa Laznicka 2019-03-27 11:56:20 UTC 
I tried to reproduce today, worked without a problem for a user that's only allowed access to the restricted SCC. There were problems with openshift-apiserver in the past that could have caused this. Can you try to reproduce with a current cluster version (installer v0.14.0 and newer) and confirm it's working? Thanks.
Comment 11 Standa Laznicka 2019-03-29 13:58:14 UTC 
Closing as worksforme, feel free to reopen if the bug still appears. Note that installer 0.15.0 still contains the openshift-apiserver bug that could prevent you from creating Pods (https://bugzilla.redhat.com/show_bug.cgi?id=1688820).
Comment 12 Sudarshan Chaudhari 2019-04-01 05:20:49 UTC 
Hello, 

I tried deploying the fresh cluster with the installer 0.15 and tested the app deployment using the git repo: https://github.com/sudarshan-uc/ab-deploy.git
This time, the app deployed properly as expected. Great Work. 

$ oc get pods
NAME              READY     STATUS      RESTARTS   AGE
mytest-1-b8p47    1/1       Running     0          24m
mytest-1-build    0/1       Completed   0          27m
mytest-1-deploy   0/1       Completed   0          24m

The complete build logs:
http://pastebin.test.redhat.com/747069

oc get pods -o yaml : http://pastebin.test.redhat.com/747070


Thanks for the response and the fix if any.