Skip to content
This repository was archived by the owner on Oct 21, 2020. It is now read-only.

[nfs-client] provitsioner is not allowed to use nfs volumes #1145

Closed
PetrGlad opened this issue Mar 6, 2019 · 11 comments
Closed

[nfs-client] provitsioner is not allowed to use nfs volumes #1145

PetrGlad opened this issue Mar 6, 2019 · 11 comments
Labels
area/nfs-client lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@PetrGlad
Copy link

PetrGlad commented Mar 6, 2019
edited
Loading

Upon nfs-client container deployment, I get the event

Error creating: pods "nfs-client-provisioner-5cf596db9d-" is forbidden: unable to validate against any security context constraint: [spec.volumes[0]: Invalid value: "nfs": nfs volumes are not allowed to be used]

So the nfs-client provisioner does not start.
The problem appears both applying rbac.yaml explicitly and installing with helm.

I tried to work around this by creating PV and referring to that in configuration - that helps provisioner to start. But then when I try to create containers that use NFS volumes they cannot be mounted, although nfs-client's logs says the PV was provisioned, and PVs status says it is Bound. The container startup error is MountVolume.SetUp failed for volume “nfs” : mount failed: exit status 32
I can mount the NFS in Linux from node's console without problems.

Running Minishift v1.29.0+72fa7b2 (OKD/Openshift 3.11, CentOS) with nfs-utils installed on the node.
Configuration files from master branch (2019-03-06).
@wongma7
Copy link
Contributor

wongma7 commented Mar 29, 2019

The pod needs to be granted permissions to use an SCC that permits it to use nfs volumes, for example hostmount-anyuid. Alternatively, you can create a PV with the same NFS information, create a PVC to bind to that PV, and use the PVC in your nfs-client-provisioner pod because the restricted SCC will allow you to use pvc volumes.

See here for more info: https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html

@scphantm
Copy link

scphantm commented Mar 29, 2019
edited
Loading

i tried that.

helm install --name nfs-client-provisioner --kubeconfig sa.kubeconfig stable/nfs-client-provisioner --set nfs.server=nfs-65-225 --set nfs.path=/kubernetes-test

oc adm policy add-scc-to-user hostmount-anyuid system:serviceaccount:default/nfs-client-provisioner

It still can't start the pod.

Error creating: pods "nfs-client-provisioner-75c6bd6c85-" is forbidden: unable to validate against any security context constraint: [fsGroup: Invalid value: []int64{65534}: 65534 is not an allowed group spec.volumes[0]: Invalid value: "nfs": nfs volumes are not allowed to be used spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 65534: must be in the ranges: [1000000000, 1000009999]]

Ive also tried adding privileged and restricted to the service user.

apiVersion: apps/v1
kind: ReplicaSet
metadata:
  annotations:
    deployment.kubernetes.io/desired-replicas: '1'
    deployment.kubernetes.io/max-replicas: '1'
    deployment.kubernetes.io/revision: '1'
  creationTimestamp: '2019-03-29T20:12:20Z'
  generation: 1
  labels:
    app: nfs-client-provisioner
    pod-template-hash: '3172682741'
    release: nfs-client-provisioner
  name: nfs-client-provisioner-75c6bd6c85
  namespace: default
  ownerReferences:
    - apiVersion: apps/v1
      blockOwnerDeletion: true
      controller: true
      kind: Deployment
      name: nfs-client-provisioner
      uid: f5723a92-525e-11e9-b02f-005056006301
  resourceVersion: '31959'
  selfLink: >-
    /apis/apps/v1/namespaces/default/replicasets/nfs-client-provisioner-75c6bd6c85
  uid: f573a5fb-525e-11e9-b02f-005056006301
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nfs-client-provisioner
      pod-template-hash: '3172682741'
      release: nfs-client-provisioner
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: nfs-client-provisioner
        pod-template-hash: '3172682741'
        release: nfs-client-provisioner
    spec:
      containers:
        - env:
            - name: PROVISIONER_NAME
              value: cluster.local/nfs-client-provisioner
            - name: NFS_SERVER
              value: pgh-realm-65-225
            - name: NFS_PATH
              value: /kubernetes-test
          image: 'quay.io/external_storage/nfs-client-provisioner:v3.1.0-k8s1.11'
          imagePullPolicy: IfNotPresent
          name: nfs-client-provisioner
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /persistentvolumes
              name: nfs-client-root
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        fsGroup: 65534
        runAsUser: 65534
      serviceAccount: nfs-client-provisioner
      serviceAccountName: nfs-client-provisioner
      terminationGracePeriodSeconds: 30
      volumes:
        - name: nfs-client-root
          nfs:
            path: /kubernetes-test
            server: pgh-realm-65-225
status:
  conditions:
    - lastTransitionTime: '2019-03-29T20:12:21Z'
      message: >-
        pods "nfs-client-provisioner-75c6bd6c85-" is forbidden: unable to
        validate against any security context constraint: [fsGroup: Invalid
        value: []int64{65534}: 65534 is not an allowed group spec.volumes[0]:
        Invalid value: "nfs": nfs volumes are not allowed to be used
        spec.containers[0].securityContext.securityContext.runAsUser: Invalid
        value: 65534: must be in the ranges: [1000000000, 1000009999]]
      reason: FailedCreate
      status: 'True'
      type: ReplicaFailure
  observedGeneration: 1
  replicas: 0

i suspect my problem is related to

      securityContext:
        fsGroup: 65534
        runAsUser: 65534

but i don't know where that comes from and it won't let me change it.

@wongma7
Copy link
Contributor

wongma7 commented Mar 29, 2019

Is it possible to have helm render the replicaset yaml, change the securityContext and create the replicaset after? I am not too familiar with helm, once you get it working I would also open an issue with the charts repo to make it optional.

Any idea where the range [1000000000, 1000009999] comes from? It might be an annotation on the project, what does the project yaml look like? Can you paste the privileged scc yaml here?

@scphantm
Copy link

Well, i tried deleting everything and creating it by hand instead of using helm. Error message changed...

Error creating: pods "nfs-client-provisioner-67c58f4645-" is forbidden: unable to validate against any security context constraint: [spec.volumes[0]: Invalid value: "nfs": nfs volumes are not allowed to be used]

problem is this is after i gave the service account privileged and hostmount-anyuid

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 27, 2019
@supriya-premkumar
Copy link

supriya-premkumar commented Jul 17, 2019
edited
Loading

I ran into this issue as well and was able to resolve it by adding nfs volume in the PodSecurityPolicy spec.

apiVersion: policy/v1beta1 
kind: PodSecurityPolicy 
  metadata: 
    name: example 
  spec: 
    volumes: 
     - nfs

@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Aug 17, 2019
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jdorel
Copy link

jdorel commented Nov 10, 2019

Can be resolved with oc adm policy add-scc-to-user hostmount-anyuid -z nfs-client-provisioner

@gimmely
Copy link

gimmely commented Jul 1, 2020

Can be resolved with oc adm policy add-scc-to-user hostmount-anyuid -z nfs-client-provisioner

This worked for me after re-deployment.

@manosnoam manosnoam mentioned this issue Sep 22, 2020
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/nfs-client lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@PetrGlad @scphantm @wongma7 @supriya-premkumar @jdorel @k8s-ci-robot @gimmely @fejta-bot