apache-kafkadeploymentopenshiftkubernetes-helm

How to deploy bitnami/kafka to OPenShift cluster

I’m trying to deploy bitnami/kafka Helm Chart to Codeready Containers OpenShift cluster.

I’ve created a new “kafka” project, added the following scc to the service account and then deployed the bitnami helm release:

$ oc new-project kafka

$ oc adm policy add-scc-to-user anyuid system:serviceaccount:kafka:default

$ helm install kafka -f values.yaml bitnami/kafka

The kafka-zookeeper pod start normally, however the kafka pod is not starting reporting the following event:

''create Pod kafka-0 in StatefulSet kafka failed error: pods "kafka-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group, spec.containers[0].securityContext.runAsUser: Invalid value: 1001: must be in the ranges: [1000680000, 1000689999], provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]''

Does anybody know how to deploy Kafka helm chart to OpenShift Cluster? Are there any other security settings necessary on the service account?

Thanks.

Solution

  • That is an issue you will stumble upon several times using OpenShift. Since you did not provide the contents of "values.yaml" here I have to suppose that you did not provide any specific value for "runAsUser" and "fsGroup". Therefore, the Chart is using its default values which seem to be 1001 for both of them. https://github.com/bitnami/charts/tree/master/bitnami/kafka The official Chart documentation specifies:

    podSecurityContext.fsGroup
podSecurityContext.runAsUser

    So for your values.yaml you should add something like

    podSecurityContext:
  fsGroup: 1000680000
  runAsUser: 1000680000

    The UID/GID range in OpenShift is defined per namespace and the error message you get even tells them. You can also find them out by reading the metadata fields from the namespace Kubernetes object itself.