You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I thought it would make more sense to continue the discussion from #989 in a distinct issue, hence I'm opening this ticket to report the mismatch between the helm chart and OpenShift default Security Context Constraints. (Tested with Code Ready Container v4.13).
Output of helm install
W0821 07:57:17.613177 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": runAsNonRoot != true (container "alfresco-content-services" must not set securityContext.runAsNonRoot=false)
W0821 07:57:17.631141 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.631141 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "activemq" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.635153 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.635572 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "alfresco-control-center" must set securityContext.allowPrivilegeEscalation=false), seccompProfile (pod or container "alfresco-control-center" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.639977 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.643660 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.643660 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.655524 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-search" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.782326 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or containers "wait-db-ready", "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.841770 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "postgresql" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "postgresql" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "postgresql" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "postgresql" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
I find that the Helm output logs do not give the proper impression of the mismatch between securityContext definition and the default SCC available.
When looking at each resource individually, we can see the reasons why each default SCC cannot be used. Most of the time, runAsUser has a value lower than the valid range of the restricted-v2 SCC.
alfresco-postgresql-acs StatefulSet
create Pod alfresco-postgresql-acs-0 in StatefulSet alfresco-postgresql-acs failed error: pods "alfresco-postgresql-acs-0" is forbidden: unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group,
provider restricted-v2: .containers[0].runAsUser: Invalid value: 1001: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]
alfresco-active-mq Deployment
pods "alfresco-activemq-dc4c6c95b-" is forbidden: unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group,
provider restricted-v2: .containers[0].runAsUser: Invalid value: 33031: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]
alfresco-active-cc Deployment
pods "alfresco-alfresco-cc-598884f77d-" is forbidden: unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .containers[0].runAsUser: Invalid value: 101: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]
alfresco-alfresco-cs-imagemagick Deployment
pods "alfresco-alfresco-cs-imagemagick-57d5b8b95f-" is forbidden: unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .containers[0].runAsUser: Invalid value: 33002: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]
alfresco-alfresco-cs-libreoffice Deployment
pods "alfresco-alfresco-cs-libreoffice-cc569bc75-" is forbidden: unable
to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2:
.containers[0].runAsUser: Invalid value: 33003: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]
alfresco-alfresco-cs-pdfrenderer Deployment
pods "alfresco-alfresco-cs-pdfrenderer-576995585-" is forbidden: unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .containers[0].runAsUser: Invalid value: 33001: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]
alfresco-alfresco-cs-repository Deployment
pods "alfresco-alfresco-cs-repository-5c77f58d5f-" is forbidden: unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group,
provider restricted-v2: .initContainers[0].runAsUser: Invalid value: 33000: must be in the ranges: [1000670000, 1000679999],
provider restricted-v2: .containers[0].runAsUser: Invalid value: 33000: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]
alfresco-alfresco-cs-tika Deployment
pods "alfresco-alfresco-cs-tika-6457b98b57-" is forbidden: unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .containers[0].runAsUser: Invalid value: 33004: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]
alfresco-alfresco-cs-transform-misc Deployment
pods "alfresco-alfresco-cs-transform-misc-6f94976c8c-" is forbidden: unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .containers[0].runAsUser: Invalid value: 33006: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]
alfresco-alfresco-search-solr Deployment
pods "alfresco-alfresco-search-solr-5c6d4d9bfc-" is forbidden: unable to
validate against any security context constraint: [provider "anyuid":
Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{33007}: 33007 is not an allowed group,
provider restricted-v2: .containers[0].runAsUser: Invalid value: 33007: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]
The text was updated successfully, but these errors were encountered:
To accommodate the non root uids, one can allow the slightly lower SCC nonroot-v2 for the target namespace service account.
However, alfresco-content-services container in alfresco-cs-share deployment still fails due to a denied root privilege.
Using default SCC anyuidwith all security implications let the pod run without permission issue.
By the way, the (first?) permission issue in the container, if run without root privilege, is:
Replace 'REPO_HOST' with 'alfresco-alfresco-cs-repository' and 'REPO_PORT' with '80'
sed: couldn't open temporary file /usr/local/tomcat/shared/classes/alfresco/web-extension/sedubFq2G: Permission denied
Replace 'REPO_HOST' with 'alfresco-alfresco-cs-repository' and 'REPO_PORT' with '80'
sed: couldn't open temporary file /usr/local/tomcat/shared/classes/alfresco/web-extension/sedubFq2G: Permission denied
ok this is actually the issue we are already aware of (internally tracked as APPS-1832) for which we don't really have any workaround yet.
Hello
I thought it would make more sense to continue the discussion from #989 in a distinct issue, hence I'm opening this ticket to report the mismatch between the helm chart and OpenShift default Security Context Constraints. (Tested with Code Ready Container v4.13).
Output of
helm install
I find that the Helm output logs do not give the proper impression of the mismatch between securityContext definition and the default SCC available.
When looking at each resource individually, we can see the reasons why each default SCC cannot be used. Most of the time, runAsUser has a value lower than the valid range of the restricted-v2 SCC.
alfresco-postgresql-acs StatefulSet
alfresco-active-mq Deployment
alfresco-active-cc Deployment
alfresco-alfresco-cs-imagemagick Deployment
alfresco-alfresco-cs-libreoffice Deployment
alfresco-alfresco-cs-pdfrenderer Deployment
alfresco-alfresco-cs-repository Deployment
alfresco-alfresco-cs-tika Deployment
alfresco-alfresco-cs-transform-misc Deployment
alfresco-alfresco-search-solr Deployment
The text was updated successfully, but these errors were encountered: