Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ServiceAccount is not set to PrometheusExporter deployment #75

Open
cedar715 opened this issue Jul 26, 2023 · 2 comments
Open

ServiceAccount is not set to PrometheusExporter deployment #75

cedar715 opened this issue Jul 26, 2023 · 2 comments

Comments

@cedar715
Copy link

cedar715 commented Jul 26, 2023
edited
Loading

The specified SA in the PubSubPlusEventBroker spec is being set to Broker's StatefuleSet alone and not to the generated PrometheusExporter Deployment. We are using OCP 4.

Here is our spec:

apiVersion: pubsubplus.solace.com/v1beta1
kind: PubSubPlusEventBroker
metadata:
  name: dev3-eventbroker
  namespace: infra
  labels:
    app: solace-pubsubplus-eventbroker
spec:
  image:
    repository: solace/solace-pubsub-standard
    tag: "10.3.1.36"
  redundancy: true
  service:
    type: ClusterIP
  securityContext:
    fsGroup: 2000
    runAsUser: 2000
  serviceAccount:
    name: dev3-eventbroker
  monitoring:
    enabled: true
    image:
      repository: solace/pubsubplus-prometheus-exporter
      tag: 1.0.0
  storage:
    useStorageClass: gp2-ebs-csi-default
    messagingNodeStorageSize: 99Gi
    monitorNodeStorageSize: 49Gi
  tls:
    enabled: true
    certFilename: tls.crt
    certKeyFilename: tls.key

Here is the Operator generated deployment (edited for brevity):

kind: Deployment
spec:
  replicas: 1
  template:
    spec:
      containers:
        - name: exporter
          env:
            - name: SOLACE_WEB_LISTEN_ADDRESS
              value: >-
                tcp-metrics://dev3-eventbroker-pubsubplus-prometheus-metrics.solace-pubsubplus.svc.cluster.local:9628
            - name: SOLACE_SCRAPE_URI
              value: >-
                https://dev3-eventbroker-pubsubplus.solace-pubsubplus.svc.cluster.local:1943
            - name: SOLACE_LISTEN_TLS
              value: 'false'
            - name: SOLACE_USERNAME
              value: monitor
            - name: SOLACE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: dev3-eventbroker-pubsubplus-monitor-creds
                  key: username_monitor_password
            - name: SOLACE_SCRAPE_TIMEOUT
              value: 5s
            - name: SOLACE_SSL_VERIFY
              value: 'false'
            - name: SOLACE_INCLUDE_RATES
              value: 'false'
            - name: SOLACE_SERVER_CERT
              value: .
            - name: SOLACE_PRIVATE_KEY
              value: .
          securityContext:
            capabilities:
              drop:
                - ALL
            privileged: false
            runAsNonRoot: true
            allowPrivilegeEscalation: false
            seccompProfile:
              type: RuntimeDefault
          ports:
            - name: tcp-metrics
              containerPort: 9628
              protocol: TCP
          imagePullPolicy: IfNotPresent
          terminationMessagePolicy: File
          image: >-
            solace/pubsubplus-prometheus-exporter:1.0.0
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      securityContext: {}
      schedulerName: default-scheduler

Since the SA is not set, Prometheus exporter pod is not coming up.

"dev3-eventbroker-pubsubplus-prometheus-exporter-d5ff69cff-2wfsh" is forbidden: unable to validate against any security context constraint
@bczoma
Copy link
Collaborator

bczoma commented Jul 27, 2023

Hi @cedar715, the Prometheus exporter pod is supposed to use the default service account for the project because this pod requires no special rules added. Is there no default SA in your OpenShift project?

@cedar715
Copy link
Author

cedar715 commented Jul 31, 2023
edited
Loading

Hi @bczoma, the default SA is present. However, since there is no SCC associated with it, it's not working in OCP. Here's the full error message:

pods "dev3-eventbroker-pubsubplus-prometheus-exporter-d5ff69cff-2wfsh"
        is forbidden: unable to validate against any security context
        constraint:
        [pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/exporter:
        Forbidden: seccomp may not be set provider "my-scc-1":
        Forbidden: not usable by user or serviceaccount provider
        "my-scc-2": Forbidden: not usable by user or
        serviceaccount provider "my-scc-3": Forbidden: not usable by user or
        serviceaccount provider "my-scc-4": Forbidden: not usable by user
        or serviceaccount]

If I do these options, it works:

  1. Edit generated deployment spec and add SA which has SCC associated (basically use Broker's SA)
  2. Or remove lines: 
      seccompProfile:
          type: RuntimeDefault

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cedar715 @bczoma