PostgreSQL pods show CreateContainerConfigError

The EnterpriseDB (EDB) PostgreSQL ClusterServiceVersion (CSV) and deployment fail to run on an Amazon Elastic Kubernetes Service (EKS) cluster.

Symptom

• PostgreSQL CSV shows Failed status.

    oc get csv -n <operator-namespace> | grep cloud-native-postgresql
    cloud-native-postgresql.v1.18.4               EDB Postgres for Kubernetes            1.18.4    cloud-native-postgresql.v1.18.3   Failed
  

• PostgreSQL deployment is not ready, and pod is in CreateContainerConfigError state.

You see an error message similar to the following message:

  containerStatuses:
  - image: icr.io/cpopen/ibm-cpd-cloud-native-postgresql-operator@sha256:4219d4f32f6da7d36c8043473e58cbde7cf1a435e44c317e1bc0c4c4a077d2e0
    imageID: ""
    lastState: {}
    name: manager
    ready: false
    restartCount: 0
    started: false
    state:
      waiting:
        message: 'container has runAsNonRoot and image has non-numeric user (nonroot),
          cannot verify user is non-root (pod: "postgresql-operator-controller-manager-1-18-4-5d5c48fc7-c92z9_ibm-common-services(be9f0916-87b9-4871-a244-b162e50cb32f)",
          container: manager)'
        reason: CreateContainerConfigError

Cause

The PostgreSQL container sets securityContext.runAsNonRoot: true, which requires that the container runs with a user with any UID other than 0. The container image does have a user with a non-numeric name. However, Kubernetes is unable to verify that the user is not a root user.

Resolution

Patch the PostgreSQL CSV and deployment to set securityContext.runAsUser: 1001.

1. Create an environment variable with your PostgreSQL operator namespace.

    namespace=<operator-namespace>
   

2. Get the PostgreSQL CSV name.

    edb_csv=$(kubectl -n ${namespace} get csv -l operators.coreos.com/cloud-native-postgresql.${namespace}="" -o name)
   

3. Patch the CSV with a numeric user.

    kubectl -n ${namespace} patch $edb_csv  --type=json -p '[{"op":"add","path":"/spec/install/spec/deployments/0/spec/template/spec/securityContext/runAsUser","value":1001}]'
   

4. Get the PostgreSQL deployment name.

    edb_deployment=$(kubectl -n ${namespace} get deployment -l operators.coreos.com/cloud-native-postgresql.${namespace}="" -o name)
   

5. Patch the deployment with a numeric user.

    kubectl -n ${namespace} patch $edb_deployment  --type=json -p '[{"op":"add","path":"/spec/template/spec/securityContext/runAsUser","value":1001}]'