GithubHelp home page GithubHelp logo

Comments (20)

rbaumgar avatar rbaumgar commented on August 15, 2024

How can I remove runAsUser property?

from oracle-database-operator.

yunus-qureshi avatar yunus-qureshi commented on August 15, 2024

@rbaumgar for openshift envs, you must apply this yaml

https://github.com/oracle/oracle-database-operator/blob/main/config/samples/sidb/openshift_rbac.yaml

and specify the service account name "sidb-sa" in the SIDB yaml

from oracle-database-operator.

rbaumgar avatar rbaumgar commented on August 15, 2024

This might be a workaround, but is never a solution. Every normal pod has to run with an arbitrary uid. Sorry, a database is a normal pod and does not require special security requirements.
You will find much more information on this and several other links
https://developers.redhat.com/articles/2021/11/11/best-practices-building-images-pass-red-hat-container-certification#

from oracle-database-operator.

yunus-qureshi avatar yunus-qureshi commented on August 15, 2024

Agreed. The latest v1.1.0 has an attribute called setWritePermissions. Set it to false

https://github.com/oracle/oracle-database-operator/blob/main/config/samples/sidb/singleinstancedatabase.yaml

from oracle-database-operator.

rbaumgar avatar rbaumgar commented on August 15, 2024

does not work on singleinstancedatabase_express.yaml

Invalid value: []int64{54321}: 54321 is not an allowed group, provider restricted-v2: .initContainers[0].runAsUser: Invalid value: 54321: must be in the ranges: ...

spec:
  adminPassword:
    keepSecret: true
    secretKey: oracle_pwd
    secretName: xedb-admin-secret
  createAs: primary
  edition: express
  image:
    prebuiltDB: true
    pullFrom: 'container-registry.oracle.com/database/express:latest'
  pdbName: XEPDB1
  persistence:
    accessMode: ReadWriteOnce
    setWritePermissions: false
    size: 50Gi
    storageClass: oci-bv
  replicas: 1
  sid: XE

from oracle-database-operator.

yunus-qureshi avatar yunus-qureshi commented on August 15, 2024

@rbaumgar also set the attribute prebuiltDB to false

from oracle-database-operator.

andbos avatar andbos commented on August 15, 2024

Hi,

When I try to apply openshift_rbac.yaml I get the following error:

$ oc apply -f https://raw.githubusercontent.com/oracle/oracle-database-operator/main/config/samples/sidb/openshift_rbac.yaml
serviceaccount/sidb-sa created
role.rbac.authorization.k8s.io/use-sidb-scc created
rolebinding.rbac.authorization.k8s.io/use-sidb-scc created
error: resource mapping not found for name: "sidb-scc" namespace: "default" from "https://raw.githubusercontent.com/oracle/oracle-database-operator/main/config/samples/sidb/openshift_rbac.yaml": no matches for kind "SecurityContextConstraints" in version "v1"
ensure CRDs are installed first

Installation of the operator went fine:

$ oc apply -f https://raw.githubusercontent.com/oracle/oracle-database-operator/main/oracle-database-operator.yaml
namespace/oracle-database-operator-system created
customresourcedefinition.apiextensions.k8s.io/autonomouscontainerdatabases.database.oracle.com created
customresourcedefinition.apiextensions.k8s.io/autonomousdatabasebackups.database.oracle.com created
customresourcedefinition.apiextensions.k8s.io/autonomousdatabaserestores.database.oracle.com created
customresourcedefinition.apiextensions.k8s.io/autonomousdatabases.database.oracle.com created
customresourcedefinition.apiextensions.k8s.io/cdbs.database.oracle.com created
customresourcedefinition.apiextensions.k8s.io/databaseobservers.observability.oracle.com created
customresourcedefinition.apiextensions.k8s.io/dataguardbrokers.database.oracle.com created
customresourcedefinition.apiextensions.k8s.io/dbcssystems.database.oracle.com created
customresourcedefinition.apiextensions.k8s.io/oraclerestdataservices.database.oracle.com created
customresourcedefinition.apiextensions.k8s.io/pdbs.database.oracle.com created
customresourcedefinition.apiextensions.k8s.io/shardingdatabases.database.oracle.com created
customresourcedefinition.apiextensions.k8s.io/singleinstancedatabases.database.oracle.com created
role.rbac.authorization.k8s.io/oracle-database-operator-leader-election-role created
clusterrole.rbac.authorization.k8s.io/oracle-database-operator-manager-role created
clusterrole.rbac.authorization.k8s.io/oracle-database-operator-metrics-reader created
clusterrole.rbac.authorization.k8s.io/oracle-database-operator-oracle-database-operator-proxy-role created
rolebinding.rbac.authorization.k8s.io/oracle-database-operator-oracle-database-operator-leader-election-rolebinding created
rolebinding.rbac.authorization.k8s.io/oracle-database-operator-oracle-database-operator-manager-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/oracle-database-operator-proxy-rolebinding created
service/oracle-database-operator-controller-manager-metrics-service created
service/oracle-database-operator-webhook-service created
certificate.cert-manager.io/oracle-database-operator-serving-cert created
issuer.cert-manager.io/oracle-database-operator-selfsigned-issuer created
mutatingwebhookconfiguration.admissionregistration.k8s.io/oracle-database-operator-mutating-webhook-configuration created
validatingwebhookconfiguration.admissionregistration.k8s.io/oracle-database-operator-validating-webhook-configuration created
deployment.apps/oracle-database-operator-controller-manager created

$ oc -n oracle-database-operator-system get pods
NAME                                                           READY   STATUS    RESTARTS   AGE
oracle-database-operator-controller-manager-7f84b7dc4b-994lm   1/1     Running   0          18s
oracle-database-operator-controller-manager-7f84b7dc4b-t5j7r   1/1     Running   0          18s
oracle-database-operator-controller-manager-7f84b7dc4b-twf7d   1/1     Running   0          18s

from oracle-database-operator.

rbaumgar avatar rbaumgar commented on August 15, 2024

@andbos this works only on OpenShift. Openshift has an SCC object:

$ oc get crd securitycontextconstraints.security.openshift.io -o yaml|grep storedVersion -A2
  storedVersions:
  - v1

from oracle-database-operator.

andbos avatar andbos commented on August 15, 2024

Yes, started testing in OpenShift.

$ oc version
Client Version: 4.14.11
Kustomize Version: v5.0.1
Server Version: 4.14.12
Kubernetes Version: v1.27.10+28ed2d7

The instance was installed properly anyway...

$ oc -n default get singleinstancedatabase
NAME            EDITION      STATUS    ROLE      VERSION      CONNECT STR                                                                            TCPS CONNECT STR   OEM EXPRESS URL
sinchdb11rhos   Enterprise   Healthy   PRIMARY   21.3.0.0.0   605682735.eu-west-1.elb.amazonaws.com:1521/RHOSDB11   Unavailable        https://605682735.eu-west-1.elb.amazonaws.com:5500/em

No errors in the operator logs.

from oracle-database-operator.

rbaumgar avatar rbaumgar commented on August 15, 2024

Oh, I see. The SCC is completely wrong formated and the api version is wrong. :-(

from oracle-database-operator.

IshaanDesai45 avatar IshaanDesai45 commented on August 15, 2024

@rbaumgar updated the steps to deploy a sidb in a normal namespace/project in openshift . kindly check the PR above

from oracle-database-operator.

rbaumgar avatar rbaumgar commented on August 15, 2024

@IshaanDesai45 I created a new NS oracle.
updated the deployment of the operator.
created a new sid.
nothing happens

operator.log```

2024-07-04T08:40:28Z INFO singleinstancedatabase-resource default {"name": "freedb"}
2024-07-04T08:40:28Z INFO singleinstancedatabase-resource validate create {"name": "freedb"}
W0704 08:40:52.733694 1 reflector.go:539] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.PDB: pdbs.database.oracle.com is forbidden: User "system:serviceaccount:oracle-database-operator-system:default" cannot list resource "pdbs" in API group "database.oracle.com" in the namespace "oracle"
E0704 08:40:52.733826 1 reflector.go:147] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.PDB: failed to list *v1alpha1.PDB: pdbs.database.oracle.com is forbidden: User "system:serviceaccount:oracle-database-operator-system:default" cannot list resource "pdbs" in API group "database.oracle.com" in the namespace "oracle"

from oracle-database-operator.

IshaanDesai45 avatar IshaanDesai45 commented on August 15, 2024

The pdb controller is causing this issue. Can you tell me how you are deploying the operator in the namespaced-scope or the cluster-scope

from oracle-database-operator.

rbaumgar avatar rbaumgar commented on August 15, 2024

I am using namespace based installation and added your newly created openshift-rbac.

from oracle-database-operator.

rbaumgar avatar rbaumgar commented on August 15, 2024

BTW it is a bad design when the operator runs with SA default and has such a rolebinding. should be a nondefault SA.

from oracle-database-operator.

IshaanDesai45 avatar IshaanDesai45 commented on August 15, 2024

I am using namespace based installation and added your newly created openshift-rbac.

for using namespace based installation did you also apply the file /rbac/default-ns-rolebinding.yaml with the corresponding namespace ?

from oracle-database-operator.

IshaanDesai45 avatar IshaanDesai45 commented on August 15, 2024

BTW it is a bad design when the operator runs with SA default and has such a rolebinding. should be a nondefault SA.

You mean the operator pods that is currently using serviceaccount:oracle-database-operator-sytem:default should use serviceaccount:oracle-database-operator-system:

from oracle-database-operator.

rbaumgar avatar rbaumgar commented on August 15, 2024

yes

from oracle-database-operator.

rbaumgar avatar rbaumgar commented on August 15, 2024

the problem is fixed, typo when applying rbac/default-ns-rolebinding.yaml, therefor I recommended a different approach.
Having an environment variable for the namespace would allow to apply the same file for multiple namespaces.

from oracle-database-operator.

IshaanDesai45 avatar IshaanDesai45 commented on August 15, 2024

@rbaumgar we plan to add support of helm charts for the very purpose that user wouldn't need to go and manually change the config/deployment files. So when that is published this your problem of changing the yaml files would be solved

from oracle-database-operator.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.