Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

install commands for OpenShift #1694

Open
git001 opened this issue Feb 18, 2025 · 0 comments
Open

install commands for OpenShift #1694

git001 opened this issue Feb 18, 2025 · 0 comments
Labels
triage Issues/PRs that need to be reviewed

Comments

@git001
Copy link

git001 commented Feb 18, 2025

Which component:
The name (and version) of the affected component (controller or kubeseal)

controller v0.28.0

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

The Problem is that the default controller.yaml have runAsUser and fsGroup which do not work on OpenShift when anyuid is not allowed and no fsGroup is setuped.

You will get this message

72s Warning FailedCreate replicaset/sealed-secrets-controller-6979bd8b68 Error creating: pods "sealed-secrets-controller-6979bd8b68-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "pipelines-scc": Forbidden: not usable by user or serviceaccount, provider "run-as-ray-user": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{65534}: 65534 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1001: must be in the ranges: [1001090000, 1001099999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot":

Describe the solution you'd like
A clear and concise description of what you want to happen.

The controller should run 😄

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

I have solved the issue with this command.

curl -sSL https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.28.0/controller.yaml |\
sed -E '/.*(fsGroup|runAsUser):.*/d' | oc apply -f -

In case the sealed-secrets controller should not run in kube-system can you add another sed, this requiers that the namespace sealed-secrets is created before the apply.

curl -sSL https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.28.0/controller.yaml |\
sed 's/namespace: kube-system/namespace: sealed-secrets/g' | sed -E '/.*(fsGroup|runAsUser):.*/d' |\
oc apply -f -

Additional context
Add any other context or screenshots about the feature request here.

I think this could be also a solution for #1119

I think this info could be added into the README.
@git001 git001 added the triage Issues/PRs that need to be reviewed label Feb 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage Issues/PRs that need to be reviewed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@git001