#48 ES cluster deploy failed on openshift 4.11 (kubernetes 1.24)

[Anonymous]

Originally created by: oernii

Openshift 4.11+ does not allow anyuid.

create Pod elastic-master-0 in StatefulSet elastic-master failed error: pods "elastic-master-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, spec.initContainers[0].securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1000760000, 1000769999], spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, spec.containers[0].securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [1000760000, 1000769999], provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "rook-ceph": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "rook-ceph-csi": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "velero-privileged": Forbidden: not usable by user or serviceaccount]

1.688129737572256e+09   INFO    controller_logging_operator Statefulset get action failed   {"Namespace": "openshift-operators", "Name": "elasticsearch-master", "Resource Type": "StatefulSet"}
1.688129737599003e+09   INFO    KubeAPIWarningLogger    would violate PodSecurity "restricted:latest": privileged (container "sysctl-init" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "sysctl-init", "elastic" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "sysctl-init", "elastic" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "sysctl-init", "elastic" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "sysctl-init" must not set runAsUser=0), seccompProfile (pod or containers "sysctl-init", "elastic" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
1.6881297376007473e+09  INFO    controller_logging_operator Statefulset successfully created    {"Namespace": "openshift-operators", "Name": "elasticsearch-master", "Resource Type": "StatefulSet"}

[Anonymous]

Originally posted by: romankspb

oc adm policy add-scc-to-user privileged -z default