Hi, I't seems, that the configuration for the helm charts are not fu

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

I've faced the same issue here is the helm values used: <div class="highlight high

Issues with PSP (cis-1.5/1.6) enabled cluster about charts HOT 4 CLOSED

openebs commented on July 20, 2024

Issues with PSP (cis-1.5/1.6) enabled cluster

from charts.

Comments (4)

niladrih commented on July 20, 2024

@tburschka -- Can you describe one of the pods in 'CreateContainerConfigError' state? Thanks.

from charts.

niladrih commented on July 20, 2024

Closing this issue due to inactivity. Please reopen in case you continue to face this issue.

from charts.

marthydavid commented on July 20, 2024

I've faced the same issue here is the helm values used:

    version: "3.0.6"
    values:
      rbac:
        pspEnabled: true
      cstor:
        enabled: true
        rbac:
          pspEnabled: true
        openebsNDM:
          enabled: true
      openebs-ndm:
        enabled: true
      ndmExporter:
        enabled: true
      zfs-localpv:
        enabled: true
        rbac:
          pspEnabled: true

kubectl -n openebs describe pod openebs-cstor-csi-controller-0

Name:                 openebs-cstor-csi-controller-0
Namespace:            openebs
Priority:             900000000
Priority Class Name:  openebs-cstor-csi-controller-critical
Node:                 one.one.one.one/1.1.1.1
Start Time:           Thu, 30 Dec 2021 09:43:45 +0100
Labels:               chart=cstor-3.0.2
                      component=openebs-cstor-csi-controller
                      controller-revision-hash=openebs-cstor-csi-controller-5497b66796
                      heritage=Helm
                      name=openebs-cstor-csi-controller
                      openebs.io/component-name=openebs-cstor-csi-controller
                      openebs.io/version=3.0.0
                      release=openebs
                      statefulset.kubernetes.io/pod-name=openebs-cstor-csi-controller-0
Annotations:          kubernetes.io/psp: global-restricted-psp
Status:               Pending
IP:                   10.42.3.128
IPs:
  IP:           10.42.3.128
Controlled By:  StatefulSet/openebs-cstor-csi-controller
Containers:
  csi-resizer:
    Container ID:
    Image:         k8s.gcr.io/sig-storage/csi-resizer:v1.2.0
    Image ID:
    Port:          <none>
    Host Port:     <none>
    Args:
      --v=5
      --csi-address=$(ADDRESS)
      --leader-election
    State:          Waiting
      Reason:       CreateContainerConfigError
    Ready:          False
    Restart Count:  0
    Environment:
      ADDRESS:  /var/lib/csi/sockets/pluginproxy/csi.sock
    Mounts:
      /var/lib/csi/sockets/pluginproxy/ from socket-dir (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-czq89 (ro)
  csi-snapshotter:
    Container ID:
    Image:         k8s.gcr.io/sig-storage/csi-snapshotter:v3.0.3
    Image ID:
    Port:          <none>
    Host Port:     <none>
    Args:
      --csi-address=$(ADDRESS)
    State:          Waiting
      Reason:       CreateContainerConfigError
    Ready:          False
    Restart Count:  0
    Environment:
      ADDRESS:  /var/lib/csi/sockets/pluginproxy/csi.sock
    Mounts:
      /var/lib/csi/sockets/pluginproxy/ from socket-dir (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-czq89 (ro)
  snapshot-controller:
    Container ID:
    Image:         k8s.gcr.io/sig-storage/snapshot-controller:v3.0.3
    Image ID:
    Port:          <none>
    Host Port:     <none>
    Args:
      --v=5
      --leader-election=false
    State:          Waiting
      Reason:       CreateContainerConfigError
    Ready:          False
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-czq89 (ro)
  csi-provisioner:
    Container ID:
    Image:         k8s.gcr.io/sig-storage/csi-provisioner:v3.0.0
    Image ID:
    Port:          <none>
    Host Port:     <none>
    Args:
      --csi-address=$(ADDRESS)
      --v=5
      --feature-gates=Topology=true
      --extra-create-metadata=true
      --metrics-address=:22011
      --timeout=250s
      --default-fstype=ext4
    State:          Waiting
      Reason:       CreateContainerConfigError
    Ready:          False
    Restart Count:  0
    Environment:
      MY_NAME:  openebs-cstor-csi-controller-0 (v1:metadata.name)
      ADDRESS:  /var/lib/csi/sockets/pluginproxy/csi.sock
    Mounts:
      /var/lib/csi/sockets/pluginproxy/ from socket-dir (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-czq89 (ro)
  csi-attacher:
    Container ID:
    Image:         k8s.gcr.io/sig-storage/csi-attacher:v3.1.0
    Image ID:
    Port:          <none>
    Host Port:     <none>
    Args:
      --v=5
      --csi-address=$(ADDRESS)
    State:          Waiting
      Reason:       CreateContainerConfigError
    Ready:          False
    Restart Count:  0
    Environment:
      ADDRESS:  /var/lib/csi/sockets/pluginproxy/csi.sock
    Mounts:
      /var/lib/csi/sockets/pluginproxy/ from socket-dir (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-czq89 (ro)
  cstor-csi-plugin:
    Container ID:
    Image:         openebs/cstor-csi-driver:3.0.0
    Image ID:
    Port:          <none>
    Host Port:     <none>
    Args:
      --endpoint=$(OPENEBS_CSI_ENDPOINT)
      --url=$(OPENEBS_CSI_API_URL)
      --plugin=$(OPENEBS_CONTROLLER_DRIVER)
    State:          Waiting
      Reason:       CreateContainerConfigError
    Ready:          False
    Restart Count:  0
    Environment:
      OPENEBS_CONTROLLER_DRIVER:    controller
      OPENEBS_CSI_ENDPOINT:         unix:///var/lib/csi/sockets/pluginproxy/csi.sock
      OPENEBS_CSI_API_URL:          https://openebs.io
      OPENEBS_NAMESPACE:            openebs (v1:metadata.namespace)
      OPENEBS_IO_INSTALLER_TYPE:    cstor-helm
      OPENEBS_IO_ENABLE_ANALYTICS:  true
    Mounts:
      /var/lib/csi/sockets/pluginproxy/ from socket-dir (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-czq89 (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  socket-dir:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
  kube-api-access-czq89:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason     Age                    From               Message
  ----     ------     ----                   ----               -------
  Normal   Scheduled  44m                    default-scheduler  Successfully assigned openebs/openebs-cstor-csi-controller-0 to one.one.one.one
  Warning  Failed     43m (x2 over 43m)      kubelet            Error: container has runAsNonRoot and image will run as root (pod: "openebs-cstor-csi-controller-0_openebs(d3ed5431-8137-4ec7-9aab-82c58e27c283)", container: snapshot-controller)
  Warning  Failed     43m (x2 over 43m)      kubelet            Error: container has runAsNonRoot and image will run as root (pod: "openebs-cstor-csi-controller-0_openebs(d3ed5431-8137-4ec7-9aab-82c58e27c283)", container: csi-resizer)
  Normal   Pulled     43m (x2 over 43m)      kubelet            Container image "k8s.gcr.io/sig-storage/csi-snapshotter:v3.0.3" already present on machine
  Warning  Failed     43m (x2 over 43m)      kubelet            Error: container has runAsNonRoot and image will run as root (pod: "openebs-cstor-csi-controller-0_openebs(d3ed5431-8137-4ec7-9aab-82c58e27c283)", container: csi-snapshotter)
  Normal   Pulled     43m (x2 over 43m)      kubelet            Container image "k8s.gcr.io/sig-storage/snapshot-controller:v3.0.3" already present on machine
  Normal   Pulled     43m (x2 over 43m)      kubelet            Container image "openebs/cstor-csi-driver:3.0.0" already present on machine
  Normal   Pulled     43m (x2 over 43m)      kubelet            Container image "k8s.gcr.io/sig-storage/csi-provisioner:v3.0.0" already present on machine
  Warning  Failed     43m (x2 over 43m)      kubelet            Error: container has runAsNonRoot and image will run as root (pod: "openebs-cstor-csi-controller-0_openebs(d3ed5431-8137-4ec7-9aab-82c58e27c283)", container: csi-provisioner)
  Normal   Pulled     43m (x2 over 43m)      kubelet            Container image "k8s.gcr.io/sig-storage/csi-attacher:v3.1.0" already present on machine
  Warning  Failed     43m (x2 over 43m)      kubelet            Error: container has runAsNonRoot and image will run as root (pod: "openebs-cstor-csi-controller-0_openebs(d3ed5431-8137-4ec7-9aab-82c58e27c283)", container: csi-attacher)
  Warning  Failed     43m (x2 over 43m)      kubelet            Error: container has runAsNonRoot and image will run as root (pod: "openebs-cstor-csi-controller-0_openebs(d3ed5431-8137-4ec7-9aab-82c58e27c283)", container: cstor-csi-plugin)
  Normal   Pulled     3m54s (x184 over 43m)  kubelet            Container image "k8s.gcr.io/sig-storage/csi-resizer:v1.2.0" already present on machine

from charts.

marthydavid commented on July 20, 2024

I could solve the issue with the following ClusterRoleBindings:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app: openebs
  name: openebs-cstor-psp
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: openebs-psp
subjects:
- kind: ServiceAccount
  name: openebs-cstor-csi-controller-sa
  namespace: openebs
- kind: ServiceAccount
  name: openebs-cstor-operator
  namespace: openebs
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app: openebs
  name: openebs-ndm-psp
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: openebs-psp
subjects:
- kind: ServiceAccount
  name: openebs-ndm
  namespace: openebs
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app: openebs
  name: openebs-zfs-controller-psp
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: openebs-psp
subjects:
- kind: ServiceAccount
  name: openebs-zfs-controller-sa
  namespace: openebs

from charts.

Issues with PSP (cis-1.5/1.6) enabled cluster about charts HOT 4 CLOSED

Comments (4)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent