Security context constraints commonly known as SCC within OpenShift allow administrators to control permissions for deployed assets. Enterprises now enforcing restricted SCC as a standard. It means apart from other SCC restrictions all deployments including pod or application or operator or replicas must run as a user in a pre-allocated range of UIDs. This range gets allocated to every namespace when it gets created and dynamic for every deployment.

For repeated automated deployment where application has to be deployed across multiple namespace and namespaces creation happens dynamically via operator. Using RunAsUser is requirement for these applications as image is pre-built and having different runAsUser change across namespace is not a choice and even few applications are bound to their existing architecture challenges.

Recently I also ran into similar challenge where needed to deploy application via operator every few seconds within a newly created namespace. Let’s say 1000121009. You can easily see from error and then by describing namespace what is happening. 1000121009 doesn’t fall in the range Openshift SCC enforcing.

Here is common Error:
Warning FailedCreate 6m53s (x18 over 12m) replicaset-controller Error creating: pods "pod-name-56bb79f494-" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 1000121009: must be in the ranges: [1000660000, 1000669999]] 

$ oc create namespace test
namespace/test created

$ oc get namespace test -o yaml

apiVersion: v1
kind: Namespace
metadata:
  name: mynamespace
  annotations:
    openshift.io/sa.scc.supplemental-groups: 1000660000/10000
    openshift.io/sa.scc.uid-range: 1000660000/10000

Simple Solution:
Create namespace with desired UID and/or GID requirements. To do so you need to create a simple yaml file say namespace.yaml with sample contents mentioned below, (change the range based on your requirements)

$cat namespace.yaml 

apiVersion: v1
kind: Namespace
metadata:
  name: mynamespace
  annotations:
    openshift.io/sa.scc.supplemental-groups: 1000660000/10000
    openshift.io/sa.scc.uid-range: 1000120000-1000150000

oc apply -f namespace.yaml

Now Namespace will be created with your desired UID and/or GID range. Post this you can easily use RunAsUser and it will not fail with uid range issue. You can use same yaml to be deployed n-times directly or via your deployment operator. All repeated deployments will work as long as they are using uid within allowed range. 

SELinux Error and Solution: 
Sometimes you might see another related error due to mis annotations. Error should look like below.

Warning  FailedCreate  74s (x107 over 9h)  replicaset-controller  Error creating: pods "pod-name-operator-79888fd8c8-" is forbidden: unable to validate against any security context constraint: []

It is due to the default SELinuxContext in the Openshift project is not compatible with the cluster operator. To fix this issue, add an additional annotation in the test namespace (edit or at the time of creation):

openshift.io/sa.scc.mcs: 's0:c26,c5'

– Ritesh Kumar Gupta

Disclaimer: “The postings on this site are my own and don’t necessarily represent IBM’s positions, strategies or opinions.”