You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was running into permission problems while trying to run a disk-fill/pod-cpu-hog/pod-memory-hog fault.
An error message similar to this one:
{"errorCode":"GENERIC_ERROR","phase":"ChaosInject","reason":"unable to create helper pod: pods \"pod-cpu-hog-helper-\" is forbidden: unable to validate against any security context constraint: [provider \"anyuid\": Forbidden: not usable by user or serviceaccount, provider \"pipelines-scc\": Forbidden: not usable by user or serviceaccount, provider restricted-v2-sigstore: .spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used, spec.volumes[0]: Invalid value: \"hostPath\": hostPath volumes are not allowed to be used, spec.volumes[1]: Invalid value: \"hostPath\": hostPath volumes are not allowed to be used, provider restricted-v2-sigstore: .containers[0].runAsUser: Invalid value: 0: must be: 65533, provider restricted-v2-sigstore: .containers[0].privileged: Invalid value: true: Privileged containers are not allowed, provider restricted-v2-sigstore: .containers[0].capabilities.add: Invalid value: \"SYS_ADMIN\": capability may not be added, provider restricted-v2-sigstore: .containers[0].hostPID: Invalid value: true: Host PID is not allowed to be used, provider restricted-v2: .spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used, provider restricted-v2: .containers[0].runAsUser: Invalid value: 0: must be in the ranges: [1001010000, 1001019999], provider restricted-v2: .containers[0].privileged: Invalid value: true: Privileged containers are not allowed, provider restricted-v2: .containers[0].capabilities.add: Invalid value: \"SYS_ADMIN\": capability may not be added, provider restricted-v2: .containers[0].hostPID: Invalid value: true: Host PID is not allowed to be used, provider \"restricted\": Forbidden: not usable by user or serviceaccount, provider \"nonroot-v2\": Forbidden: not usable by user or serviceaccount, provider \"nonroot\": Forbidden: not usable by user or serviceaccount, provider \"hostmount-anyuid\": Forbidden: not usable by user or serviceaccount, provider \"machine-api-termination-handler\": Forbidden: not usable by user or serviceaccount, provider \"hostnetwork-v2\": Forbidden: not usable by user or serviceaccount, provider \"hostnetwork\": Forbidden: not usable by user or serviceaccount, provider \"hostaccess\": Forbidden: not usable by user or serviceaccount, pod.metadata.annotations[seccomp.security.alpha.kubernetes.io/pod]: Forbidden: seccomp may not be set, pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/pod-cpu-hog]: Forbidden: seccomp may not be set, provider \"node-exporter\": Forbidden: not usable by user or serviceaccount, provider \"privileged\": Forbidden: not usable by user or serviceaccount]"}
Indicated that it was a permission issue.
For some odd reason, the role-bindings were not allowing the service account to pick up the SCC settings unless this parameter was added:
seccompProfiles:
- "*"
I'm not sure if the parameter is needed because I am using OpenShift or if there is something specific to my cluster. I'm not even sure if this is good practice or a security no-no.
I would've made a pull request to the documentation, but I could not find the repo that produces that page.
I hope that helps 馃
Here's the full YAML, if it's helpful:
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
# To mount the socket path directory in helper pod
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
# To run fault injection on a target container using pid namespace.
# It is used in stress, network, dns and http experiments.
allowHostPID: true
allowHostPorts: false
allowPrivilegeEscalation: true
# To run some privileged modules in dns, stress and network chaos
allowPrivilegedContainer: true
# NET_ADMIN & SYS_ADMIN: used in network chaos experiments to perform
# network operations (running tc command in network ns of target container).
# SYS_ADMIN: used in stress chaos experiment to perform cgroup operations.
allowedCapabilities:
- 'NET_ADMIN'
- 'SYS_ADMIN'
### this is the portion that was added ###
seccompProfiles:
- "*"
- ### this is the portion that was added:end ###
defaultAddCapabilities: null
fsGroup:
type: MustRunAs
metadata:
name: litmus-scc
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities: null
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
# To allow configmaps mounts on upload scripts or envs.
- configMap
# To derive the experiment pod name in the experimemnt.
- downwardAPI
# used for chaos injection like io chaos.
- emptyDir
- hostPath
- persistentVolumeClaim
- projected
# To authenticate with different cloud providers
- secret
The text was updated successfully, but these errors were encountered:
Thank you for making this product 馃檹
I am not sure if I found a possible improvement in this documentation: https://litmuschaos.github.io/litmus/experiments/concepts/security/openshift-scc/
I was running into permission problems while trying to run a
disk-fill
/pod-cpu-hog
/pod-memory-hog
fault.An error message similar to this one:
Indicated that it was a permission issue.
For some odd reason, the role-bindings were not allowing the service account to pick up the SCC settings unless this parameter was added:
I'm not sure if the parameter is needed because I am using OpenShift or if there is something specific to my cluster. I'm not even sure if this is good practice or a security no-no.
I would've made a pull request to the documentation, but I could not find the repo that produces that page.
I hope that helps 馃
Here's the full YAML, if it's helpful:
The text was updated successfully, but these errors were encountered: