Setting security context constraints
If you use the Network Discovery Observer, set security context constraints so that
the topology-nasm-net-disco-worker
ReplicaSet and the
topology-nasm-net-disco-sidecar
and
topology-nasm-net-disco-topogram
pods start.
About this task
The following pods might fail to start if Network Discovery is enabled and a
topology-sftp-secret
secret is
created:# oc get pods | egrep -v "1/1|2/2|Comp"
NAME READY STATUS RESTARTS AGE
noi-topology-nasm-net-disco-sidecar-75cb79c5f-2pdml 0/1 Init:0/1 0 29h
noi-topology-nasm-net-disco-topogram-64985bfd6-7twf6 0/1 Init:0/2 0 29h
Where noi
is the release name.The topology-nasm-net-disco-worker
ReplicaSet reports errors with the security
context constraint (SCC) capabilities:
# oc describe replicaset noi-topology-nasm-net-disco-worker-5dbd558f86 | egrep "^Events:" -A10
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreate 4h2m (x35 over 5h53m) replicaset-controller Error creating: pods "noi-topology-nasm-net-disco-worker-5dbd558f86-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.capabilities.add: Invalid value: "DAC_OVERRIDE": capability may not be added, spec.containers[0].securityContext.capabilities.add: Invalid value: "NET_RAW": capability may not be added, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
Warning FailedCreate 3m55s (x54 over 3h53m) replicaset-controller Error creating: pods "noi-topology-nasm-net-disco-worker-5dbd558f86-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.capabilities.add: Invalid value: "DAC_OVERRIDE": capability may not be added, spec.containers[0].securityContext.capabilities.add: Invalid value: "NET_RAW": capability may not be added, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
Procedure
Results
After you complete the steps, the topology-nasm-net-disco-worker
ReplicaSet
starts.
Both the topology-nasm-net-disco-sidecar
and
topology-nasm-net-disco-topogram
pods are no longer waiting on the
topology-nasm-net-disco-worker
pod, and they start successfully.