Description of problem: Event: ~~~ 9m 9m 1 app-test.157b4f94f761135f DeploymentConfig Warning FailedRetry deployer-controller Stop retrying: couldn't create deployer pod for "test3/app-test-1": pods "app-test-1-deploy" is forbidden: unable to validate against any security context constraint: [] 3m 12m 25 app-test.157b4f6ea60ef2d7 DeploymentConfig Warning FailedCreate deployer-controller Error creating deployer pod: pods "app-test-1-deploy" is forbidden: unable to validate against any security context constraint: [] 1m 1m 1 app-test.157b5001592b0c17 DeploymentConfig Warning RolloutTimeout deployer-controller Rollout for "test3/app-test-1" failed to create deployer pod (timeoutSeconds: 600s) ~~~ Version-Release number of selected component (if applicable): # oc version oc v4.0.0-0.125.0 kubernetes v1.11.0+406fc897d8 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://ocp4.example.com:6443 kubernetes v1.11.0+c69f926354 How reproducible: Everytime trying to deploy php app Steps to Reproduce: 1. Create a project using the command: # oc new-app --name=app-test php~https://github.com/sudarshan-uc/ab-deploy.git Actual results: The deployer pod is not getting created Expected results: The deployment should have been completed Additional info: Adding the complete events and scc yaml. Also tried to deploy other app such as Python, Ruby, php
please follow this doc to gather the required information https://docs.google.com/document/d/13YIo4z8r2U5h03cwJVADALHN_dYT0Odp7rgvnUo3TdE/edit?usp=sharing
Created attachment 1522573 [details] yaml and logs from controller-manager
I can reproduce the issue with my env run after one day: Cluster version is 4.0.0-0.nightly-2019-01-18-115403 Even I run command `oc create -f https://raw.githubusercontent.com/openshift/origin/master/examples/hello-openshift/hello-pod.json` will met error: Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/openshift/origin/master/examples/hello-openshift/hello-pod.json": pods "hello-openshift" is forbidden: unable to validate against any security context constraint: []
Created attachment 1522578 [details] Complete scc from cluster
Hello Team, I have also seen a similar issue(events) when I tried to deploy Quay deployment which requires "anyuid" scc to deploy the pods on openshift cluster. It always prompt that, scc has been attached to x:y:z system:service account, but it is not reflecting into the deployment. As of now, I have seen this issue on 0.10.0 installer, if required I can try to reproduce and provide events from the latest release ie. 0.11.0.
Hi I have got the same errors even deploying from web console too. I tried both httpd and nginx and both failed with error messages ~~~ Error creating: pods "pod-name" is forbidden: unable to validate against any security context constraint ~~~ The resolution was , I have modified the restricted scc and set securityContext and fsGroup to RunAsAny from MustRUnAs. Then it was successful. Noticed that build was completed but not the deployment.
Rutvik, Sudarshan, your applications most probably require more privileges than what the serviceaccounts running the pods have, did you create the appropriate roles and rolebindings to the SCC so that you are able to use them? Especially https://bugzilla.redhat.com/show_bug.cgi?id=1667676#c7 shows that the pod needs more privileges than what the SCCs the service account running the pod is able to obtain.
Hello Stanislav, No, I did not create any additional rolebindings or role as we did not do till OCP 3.11. As a part of testing, I simply tried to deploy the application using php template and the git repo. From your statement it seems that we should create/provide permissions to the app so that pods can run, but I am not sure if doing that would help everytime or for that matter changing the default scc. Yes, removing the restrictions should work, but what I think is the pods should have ran properly with restricted scc. If you think that there will be some modifications done to scc or update in the template, let me know so that I can make changes and try it myself. Also let me know if there is any additions git issue active for this issue. Thanks for your response. Regards.
I tried to reproduce today, worked without a problem for a user that's only allowed access to the restricted SCC. There were problems with openshift-apiserver in the past that could have caused this. Can you try to reproduce with a current cluster version (installer v0.14.0 and newer) and confirm it's working? Thanks.
Closing as worksforme, feel free to reopen if the bug still appears. Note that installer 0.15.0 still contains the openshift-apiserver bug that could prevent you from creating Pods (https://bugzilla.redhat.com/show_bug.cgi?id=1688820).
Hello, I tried deploying the fresh cluster with the installer 0.15 and tested the app deployment using the git repo: https://github.com/sudarshan-uc/ab-deploy.git This time, the app deployed properly as expected. Great Work. $ oc get pods NAME READY STATUS RESTARTS AGE mytest-1-b8p47 1/1 Running 0 24m mytest-1-build 0/1 Completed 0 27m mytest-1-deploy 0/1 Completed 0 24m The complete build logs: http://pastebin.test.redhat.com/747069 oc get pods -o yaml : http://pastebin.test.redhat.com/747070 Thanks for the response and the fix if any.