OpenSearch failing on openshift environment

bimlesh_singh · March 10, 2023, 7:34am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

OpenSearch- 2.4.X

Describe the issue:
We tried to install OpenSearch on Openshift environment with the help of Helm. and OpenSearch fails to start with other than default namespace.

Configuration:

We followed this link to proceed with installation.

Relevant Logs or Screenshots:
create Pod opensearch-cluster-master-0 in StatefulSet opensearch-cluster-master failed error: pods “opensearch-cluster-master-0” is forbidden: unable to validate against any security context constraint: [provider “anyuid”: Forbidden: not usable by user or serviceaccount, provider “dynatrace-dynakube-oneagent-unprivileged”: Forbidden: not usable by user or serviceaccount, provider “dynatrace-dynakube-oneagent-privileged”: Forbidden: not usable by user or serviceaccount, provider restricted: .spec.securityContext.fsGroup: Invalid value: int64{1000}: 1000 is not an allowed group, spec.initContainers[0].securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1000670000, 1000679999], spec.containers[0].securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [1000670000, 1000679999], provider “nonroot”: Forbidden: not usable by user or serviceaccount, provider “hostmount-anyuid”: Forbidden: not usable by user or serviceaccount, provider “machine-api-termination-handler”: Forbidden: not usable by user or serviceaccount, provider “hostnetwork”: Forbidden: not usable by user or serviceaccount, provider “hostaccess”: Forbidden: not usable by user or serviceaccount, provider “twistlock-scc”: Forbidden: not usable by user or serviceaccount, provider “node-exporter”: Forbidden: not usable by user or serviceaccount, provider “privileged”: Forbidden: not usable by user or serviceaccount]

hagayg · March 10, 2023, 9:14am

We’re currently using Dashboards on Openshift, the problem mostly lies with the Openshift security context.
It seems your Openshift cluster doesn’t allow for user “1000”, which is the user opensearch defaults permissions to.
AFAIK, this isn’t typical behavior, and might be defined by your Openshift administrator.
Try asking them to allow user “1000”,or alternatively, allow root user in your namespace (user 0)

sachinmahale · March 10, 2023, 12:08pm

I am able to get pods up in openshift after assigning the additional privileges using:

oc adm policy add-scc-to-user privileged -z default

Topic		Replies	Views
Multiple exceptions related to plugins.security Security	1	450	April 30, 2024
New 2.4.0 installation fails whereas 1.3.6 works Kubernetes	3	866	November 29, 2022
Helm Chart: Cluster name anything apart from "opensearch-cluster" is not working OpenSearch discuss	4	900	September 8, 2021
Opensearch Helm Installation Issue Open Source Elasticsearch and Kibana	1	557	February 7, 2023
Get an error response while getting _cluster/stats OpenSearch troubleshoot , configure	0	310	October 17, 2022

OpenSearch failing on openshift environment

Related topics