Skip to content

Nginx ingress controller is deployed and runs with incorrect SCC when Routes are used OpenShift 4.10

Link the doc and describe what is wrong with it.

https://docs.gitlab.com/operator/security_context_constraints.html#ingress-controller

Hi @walkafwalka and @pursultani, the link here to our default values for nginx-ingress Security Context Constraints appears to point to a scc.yaml file which is not present in the latest helm chart. I cannot deploy nginx-ingress with a valid SCC out of the box to Openshift using our Cloud-Native Helm Chart. Looking at the values here: https://gitlab.com/gitlab-org/cloud-native/gitlab-operator/-/blob/0-9-stable/deploy/chart/templates/openshift/scc.yaml, anyuid: 101 is not a valid key-value for anyuid since the default 'restricted' SCC profile is range-restricted to the range shown in the error message below.

Screen_Shot_2022-07-08_at_12.38.25_PM Link to helm chart points to non-existent SCC yaml config in latest helm chart

Screen_Shot_2022-07-08_at_12.38.47_PM

From the error logs kicked out from nginx-ingress replicaset:

18 times in the last 11 minutes
Error creating: pods "gitlab-nginx-ingress-controller-86d9c5676d-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid value: 101: must be in the ranges: [1001020000, 1001029999], spec.containers[0].securityContext.capabilities.add: Invalid value: "NET_BIND_SERVICE": capability may not be added, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "pcap-dedicated-admins": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "splunkforwarder": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

Edit: From @dmakovey: the proper workaround is to apply the scc.yaml from the to allow the Nginx-Ingress-Controller service to deploy to your Openshift cluster.

  1. fetch kubernetes manifest for Operator 0.17.1

    1. you need gitlab-operator-openshift.yaml

  2. Extract SCC:

    yq eval '. | select(.metadata.name | test(".*scc.*"))' gitlab-operator-openshift-0.17.1.yaml > scc.yaml

  3. Adjust references within scc.yaml to reflect your deployment.

  4. apply scc.yaml to your cluster:

    kubectl apply -f scc.yaml

https://docs.gitlab.com/operator/troubleshooting.html#nginx-ingress-controller-pods-missing

Edited by Bart Zhang