Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot deploy using a NFS volume due to the forced securityContext in the helm chart #137

Open
rhessing opened this issue Dec 2, 2022 · 4 comments
Open

Cannot deploy using a NFS volume due to the forced securityContext in the helm chart #137

rhessing opened this issue Dec 2, 2022 · 4 comments
Labels
bug Something isn't working

Comments

@rhessing
Copy link

rhessing commented Dec 2, 2022
edited
Loading

Setup Details

FIC Version : HelmChart 0.0.3, 0.1.8
CIS Version : 2.10.1
FIC Build: f5networks/f5-ipam-controller:0.1.8
CIS Build: f5networks/k8s-bigip-ctlr:2.10.1
AS3 Version: 3.4
Orchestration: K8S
Orchestration Version: 1.24.4
Additional Setup details: nfs.csi.k8s.io (https://github.com/kubernetes-csi/csi-driver-nfs)

Description

When using a NFS storage class:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: f5-ipam-shared-sc
provisioner: nfs.csi.k8s.io
parameters:
  server: 172.17.20.200
  share: /f5-ipam
  csi.storage.k8s.io/provisioner-secret-name: "f5-ipam-shared-csi-secret"
  csi.storage.k8s.io/provisioner-secret-namespace: "kube-system"
reclaimPolicy: Retain
volumeBindingMode: Immediate

apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: f5-ipam-controller
  namespace: kube-system
spec:
  repo: https://f5networks.github.io/f5-ipam-controller/helm-charts/stable
  chart: f5-ipam-controller
  version: 0.0.3
  targetNamespace: kube-system
  valuesContent: |-
    nodeSelector:
      kubernetes.io/os: linux
    pvc:
      create: true
      name: f5-ipam-controller-pvc
      storageClassName: f5-ipam-shared-sc
      accessMode: ReadWriteOnce
      storage: 512Mi
    args:
      orchestration: "kubernetes"
      provider: "f5-ip-provider"
      ip_range: '{"iprange":"172.17.20.100-172.17.20.199"}'
      log_level: DEBUG
    image:
      version: 0.1.8
      pullPolicy: IfNotPresent
    securityContext:
      runAsUser: 1200
      runAsGroup: 1200
      fsGroup: 1200

The helm install will work however the IPAM Controller Pod will not run due to a permission issue:

2022/12/02 12:59:31 [DEBUG] Creating IPAM Kubernetes Client
2022/12/02 12:59:31 [INFO] [INIT] Starting: F5 IPAM Controller - Version: 0.1.8, BuildInfo: azure-2661-f66ad6d2a4a94e0f0a8619191303af556f45dd0d
2022/12/02 12:59:31 [DEBUG] [ipam] Creating Informers for Namespace kube-system
2022/12/02 12:59:31 [DEBUG] Created New IPAM Client
2022/12/02 12:59:31 [DEBUG] [MGR] Creating Manager with Provider: f5-ip-provider
2022/12/02 12:59:31 [ERROR] [STORE] Unable to read IPAM DB file due to permission issue: stat /app/ipamdb/cis_ipam.sqlite3: permission denied
2022/12/02 12:59:31 [ERROR] [PROV] Store not initialized
2022/12/02 12:59:31 [ERROR] [PROV] Failed to Initialize Provider
2022/12/02 12:59:31 [ERROR] Unable to initialize manager: [IPMG] Unable to create Provider

Even if I create a Job that sets the correct permissions, it won't do the trick:

---
apiVersion: batch/v1
kind: Job
metadata:
  name: f5-ipam-set-volume-permissions
  namespace: kube-system
spec:
  backoffLimit: 4
  template:
    spec:
      restartPolicy: Never
      volumes:
        - name: f5-ipam-controller-pvc
          persistentVolumeClaim:
            claimName: f5-ipam-controller-pvc
      containers:
        - name: f5-ipam-init-chown-data
          image: busybox
          securityContext:
            runAsNonRoot: false
            runAsUser: 0
          command: ["chown",  "-R", "1200:1200", "/app/ipamdb/"]
          volumeMounts:
            - name: f5-ipam-controller-pvc
              mountPath: /app/ipamdb/

Steps To Reproduce

  1. Install a K8s clusterr
  2. Install the NFS CSI plugin
  3. Create a NFS export on the NFS server
  4. Create a storage class with the NFS server IP and path
  5. Use helm to install the F5 IPAM controller

Expected Result

  • Helm should have an option to exclude the securityContext whenever NFS is used

Actual Result

2022/12/02 12:40:44 [ERROR] [STORE] Unable to read IPAM DB file due to permission issue: stat /app/ipamdb/cis_ipam.sqlite3: permission denied
@rhessing rhessing added the bug Something isn't working label Dec 2, 2022
@mdditt2000
Copy link
Contributor

@rhessing please contact PM at automation_toolchain_pm@f5.com so we can prioritize this issue

@trinaths
Copy link
Collaborator

trinaths commented Dec 6, 2022

@rhessing please contact PM at automation_toolchain_pm@f5.com so we can prioritize this issue

@shkarface
Copy link

It should be a very easy fix to update the helm chart to support new security requirements. I will try to fix this tomorrow as we have a requirement on this as well.

@arunmk
Copy link

arunmk commented Jul 2, 2024
edited
Loading

@shkarface could you please mention if there has been any progress on this.

Also, could you mention if there is a workaround until the fix arrives.

Nevermind, I built another container with the directory pre-created for my testing purposes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@shkarface @trinaths @arunmk @mdditt2000 @rhessing