OpenSearch failing on openshift environment

bimlesh_singh · March 10, 2023, 7:34am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

OpenSearch- 2.4.X

Describe the issue:
We tried to install OpenSearch on Openshift environment with the help of Helm. and OpenSearch fails to start with other than default namespace.

Configuration:

We followed this link to proceed with installation.

Relevant Logs or Screenshots:
create Pod opensearch-cluster-master-0 in StatefulSet opensearch-cluster-master failed error: pods “opensearch-cluster-master-0” is forbidden: unable to validate against any security context constraint: [provider “anyuid”: Forbidden: not usable by user or serviceaccount, provider “dynatrace-dynakube-oneagent-unprivileged”: Forbidden: not usable by user or serviceaccount, provider “dynatrace-dynakube-oneagent-privileged”: Forbidden: not usable by user or serviceaccount, provider restricted: .spec.securityContext.fsGroup: Invalid value: int64{1000}: 1000 is not an allowed group, spec.initContainers[0].securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1000670000, 1000679999], spec.containers[0].securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [1000670000, 1000679999], provider “nonroot”: Forbidden: not usable by user or serviceaccount, provider “hostmount-anyuid”: Forbidden: not usable by user or serviceaccount, provider “machine-api-termination-handler”: Forbidden: not usable by user or serviceaccount, provider “hostnetwork”: Forbidden: not usable by user or serviceaccount, provider “hostaccess”: Forbidden: not usable by user or serviceaccount, provider “twistlock-scc”: Forbidden: not usable by user or serviceaccount, provider “node-exporter”: Forbidden: not usable by user or serviceaccount, provider “privileged”: Forbidden: not usable by user or serviceaccount]

hagayg · March 10, 2023, 9:14am

We’re currently using Dashboards on Openshift, the problem mostly lies with the Openshift security context.
It seems your Openshift cluster doesn’t allow for user “1000”, which is the user opensearch defaults permissions to.
AFAIK, this isn’t typical behavior, and might be defined by your Openshift administrator.
Try asking them to allow user “1000”,or alternatively, allow root user in your namespace (user 0)

sachinmahale · March 10, 2023, 12:08pm

I am able to get pods up in openshift after assigning the additional privileges using:

oc adm policy add-scc-to-user privileged -z default

Topic		Replies	Views
Helm Chart: Cluster name anything apart from "opensearch-cluster" is not working OpenSearch discuss	4	763	September 8, 2021
Get an error response while getting _cluster/stats OpenSearch troubleshoot , configure	0	246	October 17, 2022
Openseach HELM charts + Azure OIDC Security	2	489	July 14, 2022
Errors at opensearch startup OpenSearch Dashboards troubleshoot , install	6	471	November 3, 2023
OpenSearch Security not initialized error in master node Security troubleshoot , configure , install	17	155	April 3, 2024

OpenSearch failing on openshift environment

Related Topics