我有两个集群。Kubernetes 1.25和Openshift 4.11
apiVersion: apps/v1
kind: Deployment
metadata:
name: testcustom
#namespace: ics-e2e-pods-456
namespace: ics-e2e-deploy-7887
labels:
app: testcustom
spec:
replicas: 1
selector:
matchLabels:
app: testcustom
template:
metadata:
labels:
app: testcustom
spec:
containers:
- image: busybox #image name which should be avilable within cluster
name: container-name # name of the container inside POD
volumeMounts:
- mountPath: /myvolumepath # mount path for pvc from container
name: pvc-name # pvc name for this pod
securityContext:
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop: ["ALL"]
volumes:
- name: pvc-name # volume resource name in this POD, user can choose any name as per kubernetes
persistentVolumeClaim:
claimName: csi-block-pvc-custom-one # pvc name which was created by using claim.yaml file
当我尝试部署这个pod时,它在上面任何一个集群中都失败了,抛出了与安全上下文相关的错误。如果我修复了一个集群的问题,那么相同的规范在其他集群中不起作用。我想知道如何获得一个可以在两个集群中使用的通用部署文件
错误
Error creating: pods "testcustom-589767ccd5-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [1000640000, 1000649999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": : Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
在openshift中创建命名空间/项目时,请确保正确指定以下范围。这些值应该映射到fsgroup和runAsUser的yaml定义中指定的安全上下文。更多详细信息请参阅openshift文档。同样的pod定义也适用于k8s和openshift。
openshift.io/sa.scc.uid-range
openshift.io/sa.scc.supplemental-groups