Description of problem: Default SCC forbidden recycler pod to be create, thus Persistent Volume can not be recycle. Version-Release number of selected component (if applicable): openshift v3.1.1.0 kubernetes v1.1.0-origin-1107-g4c8e6f4 etcd 2.1.2 How reproducible: Always Steps to Reproduce: 1.Create PV (persistent volume) with reclaim policy "Recycle" 2.Create PVC (persistent volume claim) 3.Create pod use above pvc. 4.Delete pod and pvc. 5.Check PV status. Actual results: # oc describe pv nfs Name: nfs Labels: <none> Status: Failed Claim: lxiap/nfsc Reclaim Policy: Recycle Access Modes: RWO Capacity: 5Gi Message: Recycling error: Unexpected error creating recycler pod: Pod "pv-recycler-nfs-" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.containers[0].securityContext.securityContext.runAsUser: invalid value '0', Details: UID on container pv-recycler does not match required range. Found 0, required min: 1000000000 max: 1000009999] Source: Type: NFS (an NFS mount that lasts the lifetime of a pod) Server: 10.240.0.5 Path: /data ReadOnly: false Expected results: Default SCC should allow recycler pod creating/running. PV should be Available after recycler pod finished its job. Additional info: # oc get scc NAME PRIV CAPS HOSTDIR SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY anyuid false [] false MustRunAs RunAsAny RunAsAny RunAsAny 10 hostaccess false [] true MustRunAs MustRunAsRange RunAsAny RunAsAny <none> hostmount-anyuid false [] true MustRunAs RunAsAny RunAsAny RunAsAny <none> nonroot false [] false MustRunAs MustRunAsNonRoot RunAsAny RunAsAny <none> privileged true [] true RunAsAny RunAsAny RunAsAny RunAsAny <none> restricted false [] false MustRunAs MustRunAsRange RunAsAny RunAsAny <none>
@markturansky Looks like you forgot to add some SCC powers for the recycler SA. You'll want to document what you think you need when you add it here: https://github.com/openshift/origin/blob/master/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go#L236-L250
Fixed in https://github.com/openshift/origin/pull/6884
How is the progress of this ticket? https://github.com/openshift/origin/pull/6884 is still not merged. One of the enterprise customers hit this issue, and we need the fix as soon as possible.
Current workaround for v3.1.1.6 1. SA "pv-recycler-controller" should already be created and located in openshift-infra namespace [1]: $ oc get sa -n openshift-infra 2. If this service account is not added we will need to add it manually [2]. 3. Add the the service account to the SCC hostmount-anyuid $ oadm policy add-scc-to-user hostmount-anyuid system:serviceaccount:openshift-infra:pv-recycler-controller *NOTE: Persistent Volumes in already in a failed state will not recover and will need to be deleted and added back to the environment. The contents will also need to be manually scrubbed. [1] ~~~ ┌─[root@master1]─[~] └──> oc get sa -n openshift-infra NAME SECRETS AGE build-controller 2 24d builder 3 24d default 4 24d deployer 2 24d deployment-controller 2 24d hpa-controller 2 24d job-controller 3 24d pv-binder-controller 3 13d pv-controller 2 24d pv-provisioner-controller 2 13d pv-recycler-controller 2 13d replication-controller 2 24d ~~~ [2] ~~~ ┌─[root@master1]─[~] └──> oc create -n openshift-infra -f - <<API apiVersion: v1 kind: ServiceAccount metadata: name: pv-recycler-controller API ~~~
The fix has merged: https://github.com/openshift/origin/pull/6884
Verified on version, $ openshift version openshift v3.1.1.904 kubernetes v1.2.0-alpha.7-703-gbc4550d etcd 2.2.5 Persistent Volumes can be recycled now.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2016:1064