kubernetesopenshiftopenshift-originconfigmap

configMap volumes are not allowed to be used

I am using OKD4, and I am trying to mount /etc/php.ini in my pods using a ConfigMap. In order to do so, I am creating the following K8S objects in my project.

Configmap (previously created to Deployment):

  - apiVersion: v1
    kind: ConfigMap
    data:
      php.ini: |-
        [PHP]

        ;;;;;;;;;;;;;;;;;;;
        ; About php.ini   ;
        ;;;;;;;;;;;;;;;;;;;

    metadata:
      name: php-ini

Deployment object:

  - kind: Deployment
    apiVersion: apps/v1
    metadata:
      name: privatebin
      labels:
        app: privatebin
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: privatebin
      template:
        metadata:
          creationTimestamp: null
          labels:
            app: privatebin
            deploymentconfig: privatebin
        spec:
          containers:
            - name: privatebin
              image: <my container registry>/privatebin:${IMAGE_TAG}
              volumeMounts:
              - name: config-volume
                mountPath: php.ini
              livenessProbe:
                exec:
                  command:
                  - /bin/sh
                  - -c
                  - "[ -f /run/nginx.pid ] && ps -C nginx >/dev/null 2>&1 && ps -C php-fpm >/dev/null 2>&1"
                initialDelaySeconds: 10
                periodSeconds: 5
              readinessProbe: 
                httpGet: 
                  scheme: HTTP
                  path: /
                  port: 8080
                  initialDelaySeconds: 10
                  periodSeconds: 5
              ports:
                - containerPort: 8080
                  protocol: TCP
              resources: 
                limits:
                  cpu: "250m" # parameterize in tekton pipeline 
                  memory: "368Mi" # parameterize in tekton pipeline, maybe using template
                requests:
                  cpu: "100m" # parameterize in tekton pipeline, maybe using template
                  memory: "256Mi" # parameterize in tekton pipeline, maybe using template
              securityContext:
                runAsUser: 1000
                fsGroup: 1000
                fsGroupChangePolicy: "OnRootMismatch"
              imagePullPolicy: Always
          restartPolicy: Always
          terminationGracePeriodSeconds: 30
          volumes:
            - name: config-volume
              configMap:
                name: php-ini
      strategy:
        type: RollingUpdate
        rollingUpdate:
          maxUnavailable: 25%
          maxSurge: 25%

For some reason my pods are missing and there are the following errors:

ReplicaSet times out also with similar error: status: conditions:

Why can't I mount the ConfigMap? Is it because of the Securitycontext in the Deployment?

Thanks in advance,

Solution

  • (The error has nothing to do with configmaps, but when you get the error resolved you may need to tweak your configmap slightly to accurately drop the file into the directory you want it to land.)

    OKD is OpenShift, so it's using SCC (not PSP).

    By default you have access to the "restricted" SCC in your namespace. The UIDs being thrown out in the error are from the namespace annotation (oc get namespace FOO -o yaml) will show them.

    To fix: