NGF fails to deploy on Openshift #1674
Description
Describe the bug
NGF fails to deploy on Openshift when using helm chart
output:
[cloud-user@ocp-provisioner nginx-gateway-fabric]$ helm install ngf oci://ghcr.io/nginxinc/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway
Pulled: ghcr.io/nginxinc/charts/nginx-gateway-fabric:1.1.0
Digest: sha256:2a3aa5e2b61334a135b909f389b190ed9514b2d77c529068eb3bef4e08d0f7ec
W0312 16:49:51.427508 14348 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx-gateway" must not include "KILL" in securityContext.capabilities.add), seccompProfile (pod or containers "nginx-gateway", "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Deployment is created with this condition:
status:
conditions:
- lastTransitionTime: "2024-03-12T20:49:51Z"
lastUpdateTime: "2024-03-12T20:49:51Z"
message: Created new replica set "ngf-nginx-gateway-fabric-777dc84497"
reason: NewReplicaSetCreated
status: "True"
type: Progressing
- lastTransitionTime: "2024-03-12T20:49:51Z"
lastUpdateTime: "2024-03-12T20:49:51Z"
message: Deployment does not have minimum availability.
reason: MinimumReplicasUnavailable
status: "False"
type: Available
- lastTransitionTime: "2024-03-12T20:49:51Z"
lastUpdateTime: "2024-03-12T20:49:51Z"
message: 'pods "ngf-nginx-gateway-fabric-777dc84497-" is forbidden: unable to
validate against any security context constraint: [provider "anyuid": Forbidden:
not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup:
Invalid value: []int64{1001}: 1001 is not an allowed group, spec.containers[0].securityContext.runAsUser:
Invalid value: 102: must be in the ranges: [1000700000, 1000709999], spec.containers[0].securityContext.capabilities.add:
Invalid value: "KILL": capability may not be added, spec.containers[1].securityContext.runAsUser:
Invalid value: 101: must be in the ranges: [1000700000, 1000709999], provider
"restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2":
Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden:
not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden:
not usable by user or serviceaccount, provider "machine-api-termination-handler":
Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2":
Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden:
not usable by user or serviceaccount, provider "hostaccess": Forbidden: not
usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable
by user or serviceaccount, provider "privileged": Forbidden: not usable by user
or serviceaccount]'
reason: FailedCreate
status: "True"
type: ReplicaFailure
observedGeneration: 1
unavailableReplicas: 1
To Reproduce
- Create Openshift cluster
- Install gateway api resources
- Run
helm install ngf oci://ghcr.io/nginxinc/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway
Expected behavior
NGF deploys correctly.
Your environment
- Version of the NGINX Gateway Fabric - 1.1.0
- Version of Kubernetes - 1.25.10
- Kubernetes platform (e.g. Mini-kube or GCP) - Openshift v4.12.20