Setting security context constraints

If you use the Network Discovery Observer, set security context constraints so that the topology-nasm-net-disco-worker ReplicaSet and the topology-nasm-net-disco-sidecar and topology-nasm-net-disco-topogram pods start.

About this task

The following pods might fail to start if Network Discovery is enabled and a topology-sftp-secret secret is created:

# oc get pods | egrep -v "1/1|2/2|Comp"
NAME                                                              READY   STATUS      RESTARTS   AGE
ocd137-topology-nasm-net-disco-sidecar-75cb79c5f-2pdml            0/1     Init:0/1    0          29h
ocd137-topology-nasm-net-disco-topogram-64985bfd6-7twf6           0/1     Init:0/2    0          29h

The topology-nasm-net-disco-worker ReplicaSet reports errors with the security context constraint (SCC) capabilities:

# oc describe replicaset ocd137-topology-nasm-net-disco-worker-5dbd558f86 | egrep "^Events:" -A10
Events:
  Type     Reason        Age                     From                   Message
  ----     ------        ----                    ----                   -------
  Warning  FailedCreate  4h2m (x35 over 5h53m)   replicaset-controller  Error creating: pods "ocd137-topology-nasm-net-disco-worker-5dbd558f86-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.capabilities.add: Invalid value: "DAC_OVERRIDE": capability may not be added, spec.containers[0].securityContext.capabilities.add: Invalid value: "NET_RAW": capability may not be added, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
  Warning  FailedCreate  3m55s (x54 over 3h53m)  replicaset-controller  Error creating: pods "ocd137-topology-nasm-net-disco-worker-5dbd558f86-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.capabilities.add: Invalid value: "DAC_OVERRIDE": capability may not be added, spec.containers[0].securityContext.capabilities.add: Invalid value: "NET_RAW": capability may not be added, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

Procedure

  1. Configure your service account.
    # oc create serviceaccount nasm-net-disco-sa -n noicase137
    serviceaccount/nasm-net-disco-sa created
  2. Allow the service account to access the image pull secret.
    # oc patch serviceaccount nasm-net-disco-sa -p '{"imagePullSecrets": [{"name": "noi-registry-secret"}]}'  -n noicase137
    serviceaccount/nasm-net-disco-sa patched
  3. Create an SCC.
    # oc apply -f new_scc.yaml
    securitycontextconstraints.security.openshift.io/nasm-net-disco-scc created
    
    # cat new_scc.yaml
    apiVersion: security.openshift.io/v1
    kind: SecurityContextConstraints
    metadata:
      annotations:
        kubernetes.io/description: "This policy defines the minimum security settings required to run network discovery worker."
      name: nasm-net-disco-scc
    allowHostDirVolumePlugin: false
    allowHostIPC: false
    allowHostNetwork: false
    allowHostPID: false
    allowHostPorts: false
    allowPrivilegeEscalation: true
    allowPrivilegedContainer: false
    allowedCapabilities:
    - NET_RAW
    - DAC_OVERRIDE
    allowedFlexVolumes: []
    defaultAddCapabilities: []
    fsGroup:
      type: MustRunAs
    readOnlyRootFilesystem: false
    requiredDropCapabilities:
    - ALL
    runAsUser:
      type: MustRunAsRange
    seccompProfiles:
    - docker/default
    seLinuxContext:
      type: MustRunAs
    supplementalGroups:
      type: RunAsAny
    volumes:
    - configMap
    - downwardAPI
    - emptyDir
    - persistentVolumeClaim
    - projected
    - secret
    priority: null
  4. Allow the service account to use this SCC.
    # oc adm policy add-scc-to-user nasm-net-disco-scc -z nasm-net-disco-sa  -n noicase137
    clusterrole.rbac.authorization.k8s.io/system:openshift:scc:nasm-net-disco-scc added: "nasm-net-disco-sa"
  5. Update the noi deployment.
    # oc edit noi ocd137
    
    and add
    
    spec:
      helmValuesASM:
        nasm-net-disco.nasm-net-disco-worker.serviceAccountName: nasm-net-disco-sa

Results

After you complete the steps, the topology-nasm-net-disco-worker ReplicaSet starts.

Both the topology-nasm-net-disco-sidecar and topology-nasm-net-disco-topogram pods are no longer waiting on the topology-nasm-net-disco-worker pod, and they start successfully.