OpenShift, deployment.apps/nfs-pvc-XXXXXXXXXXXXXXXXXXXX is not using service account

[mlacko64]

Describe the bug: A clear and concise description of what the bug is.

Good day,
I am facing this issue in OpenShift Kubernetes cluster.

Deployment deployment.apps/nfs-pvc-XXXXXXXXXXXXXXXXXXXX which is spawned after RWX PVC is created cannot run because of this error:

    message: 'pods "nfs-pvc-6011f1fc-49e6-4c0b-a6a7-b2d2f6208e81-5fc49cd65c-" is forbidden:
      unable to validate against any security context constraint: [provider "anyuid":
      Forbidden: not usable by user or serviceaccount, provider restricted-v2: .containers[0].privileged:
      Invalid value: true: Privileged containers are not allowed, provider "restricted":
      Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden:
      not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable
      by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable
      by user or serviceaccount, provider "machine-api-termination-handler": Forbidden:
      not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden:
      not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not
      usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable
      by user or serviceaccount, provider "node-exporter": Forbidden: not usable by
      user or serviceaccount, provider "privileged": Forbidden: not usable by user
      or serviceaccount]'

Expected behaviour: A concise description of what you expected to happen

Deployment will run even on OpenShift Kubernetes cluster

Steps to reproduce the bug:
Steps to reproduce the bug should be clear and easily reproducible to help people gain an understanding of the problem

OpenShift does require service account to be added into privileged scc to be able do some privileged operations. So, I installed OpenEBS with default helm chart way and also had to run these commands.

oc adm policy add-scc-to-user privileged system:serviceaccount:openebs:openebs-cstor-csi-node-sa
oc adm policy add-scc-to-user privileged system:serviceaccount:openebs:openebs-cstor-operator
oc adm policy add-scc-to-user privileged system:serviceaccount:openebs:openebs
oc adm policy add-scc-to-user privileged system:serviceaccount:openebs:openebs-nfs-provisioner

All is running and working fine for RWO volumes.

When I create RWX PVC request, deployment for PVC is spawned with name deployment.apps/nfs-pvc-XXXXXXXXXXXXXXXXXXXX. This deployment does fail, because it is not running under any service account.

I am able to overcome this issue by editing this deployment and adding there:

      serviceAccount: openebs-nfs-provisioner
      serviceAccountName: openebs-nfs-provisioner

Those entries are from pod/openebs-nfs-provisioner-6f579d65cd-cnvgl. But are not present in mentioned deployment.

I understand that this is OpenShift specific issue, still would be fine to have all this working also there.

So my question is - is there currently some way how to tell OpenEBS to spawn deployment.apps/nfs-pvc-XXXXXXXXXXXXXXXXXXXX with service account ? Maybe I missed some helm chart option or so.

If not, is it possible to add it, please?

Thank you very much

Environment details:

• OpenEBS version (use kubectl get po -n openebs --show-labels):

[admin@bastion ~]$ kubectl get po -n openebs --show-labels
NAME                                                              READY   STATUS    RESTARTS      AGE   LABELS
cstor-disk-pool-2lft-684f98cb49-wssdv                             3/3     Running   0             82m   app=cstor-pool,openebs.io/cstor-pool-cluster=cstor-disk-pool,openebs.io/cstor-pool-instance=cstor-disk-pool-2lft,openebs.io/version=3.5.0,pod-template-hash=684f98cb49
cstor-disk-pool-hq7c-8bf949bf4-ks2xz                              3/3     Running   0             82m   app=cstor-pool,openebs.io/cstor-pool-cluster=cstor-disk-pool,openebs.io/cstor-pool-instance=cstor-disk-pool-hq7c,openebs.io/version=3.5.0,pod-template-hash=8bf949bf4
cstor-disk-pool-x96d-68bbc79885-gjwr7                             3/3     Running   0             82m   app=cstor-pool,openebs.io/cstor-pool-cluster=cstor-disk-pool,openebs.io/cstor-pool-instance=cstor-disk-pool-x96d,openebs.io/version=3.5.0,pod-template-hash=68bbc79885
nfs-pvc-6011f1fc-49e6-4c0b-a6a7-b2d2f6208e81-68478f6f69-9zlg2     1/1     Running   0             78m   nfs.openebs.io/nfs-pvc-name=pvc4registry,nfs.openebs.io/nfs-pvc-namespace=openshift-image-registry,nfs.openebs.io/nfs-pvc-uid=6011f1fc-49e6-4c0b-a6a7-b2d2f6208e81,openebs.io/nfs-server=nfs-pvc-6011f1fc-49e6-4c0b-a6a7-b2d2f6208e81,pod-template-hash=68478f6f69
openebs-cstor-admission-server-754d45d94d-5sbx9                   1/1     Running   0             82m   app=cstor-admission-webhook,chart=cstor-3.5.0,component=cstor-admission-webhook,heritage=Helm,openebs.io/component-name=cstor-admission-webhook,openebs.io/version=3.5.0,pod-template-hash=754d45d94d,release=openebs
openebs-cstor-csi-controller-0                                    6/6     Running   3 (63m ago)   82m   chart=cstor-3.5.0,component=openebs-cstor-csi-controller,controller-revision-hash=openebs-cstor-csi-controller-8b4c6f67d,heritage=Helm,name=openebs-cstor-csi-controller,openebs.io/component-name=openebs-cstor-csi-controller,openebs.io/version=3.5.0,release=openebs,statefulset.kubernetes.io/pod-name=openebs-cstor-csi-controller-0
openebs-cstor-csi-node-7lvx7                                      2/2     Running   0             82m   chart=cstor-3.5.0,component=openebs-cstor-csi-node,controller-revision-hash=6ccb964f7d,heritage=Helm,name=openebs-cstor-csi-node,openebs.io/component-name=openebs-cstor-csi-node,openebs.io/version=3.5.0,pod-template-generation=1,release=openebs
openebs-cstor-csi-node-8tgzr                                      2/2     Running   0             82m   chart=cstor-3.5.0,component=openebs-cstor-csi-node,controller-revision-hash=6ccb964f7d,heritage=Helm,name=openebs-cstor-csi-node,openebs.io/component-name=openebs-cstor-csi-node,openebs.io/version=3.5.0,pod-template-generation=1,release=openebs
openebs-cstor-csi-node-lmp2f                                      2/2     Running   0             82m   chart=cstor-3.5.0,component=openebs-cstor-csi-node,controller-revision-hash=6ccb964f7d,heritage=Helm,name=openebs-cstor-csi-node,openebs.io/component-name=openebs-cstor-csi-node,openebs.io/version=3.5.0,pod-template-generation=1,release=openebs
openebs-cstor-csi-node-nfptz                                      2/2     Running   0             82m   chart=cstor-3.5.0,component=openebs-cstor-csi-node,controller-revision-hash=6ccb964f7d,heritage=Helm,name=openebs-cstor-csi-node,openebs.io/component-name=openebs-cstor-csi-node,openebs.io/version=3.5.0,pod-template-generation=1,release=openebs
openebs-cstor-csi-node-rrgh7                                      2/2     Running   0             82m   chart=cstor-3.5.0,component=openebs-cstor-csi-node,controller-revision-hash=6ccb964f7d,heritage=Helm,name=openebs-cstor-csi-node,openebs.io/component-name=openebs-cstor-csi-node,openebs.io/version=3.5.0,pod-template-generation=1,release=openebs
openebs-cstor-csi-node-rvn5f                                      2/2     Running   0             82m   chart=cstor-3.5.0,component=openebs-cstor-csi-node,controller-revision-hash=6ccb964f7d,heritage=Helm,name=openebs-cstor-csi-node,openebs.io/component-name=openebs-cstor-csi-node,openebs.io/version=3.5.0,pod-template-generation=1,release=openebs
openebs-cstor-csi-node-sk559                                      2/2     Running   0             82m   chart=cstor-3.5.0,component=openebs-cstor-csi-node,controller-revision-hash=6ccb964f7d,heritage=Helm,name=openebs-cstor-csi-node,openebs.io/component-name=openebs-cstor-csi-node,openebs.io/version=3.5.0,pod-template-generation=1,release=openebs
openebs-cstor-csi-node-xzbx4                                      2/2     Running   0             82m   chart=cstor-3.5.0,component=openebs-cstor-csi-node,controller-revision-hash=6ccb964f7d,heritage=Helm,name=openebs-cstor-csi-node,openebs.io/component-name=openebs-cstor-csi-node,openebs.io/version=3.5.0,pod-template-generation=1,release=openebs
openebs-cstor-cspc-operator-5d56bb87f4-hw9fp                      1/1     Running   0             82m   chart=cstor-3.5.0,component=cspc-operator,heritage=Helm,name=cspc-operator,openebs.io/component-name=cspc-operator,openebs.io/version=3.5.0,pod-template-hash=5d56bb87f4,release=openebs
openebs-cstor-cvc-operator-5dbbcc978c-2ssp4                       1/1     Running   0             82m   chart=cstor-3.5.0,component=cvc-operator,heritage=Helm,name=cvc-operator,openebs.io/component-name=cvc-operator,openebs.io/version=3.5.0,pod-template-hash=5dbbcc978c,release=openebs
openebs-ndm-298mx                                                 1/1     Running   0             82m   app=openebs,component=ndm,controller-revision-hash=b74b66f7d,name=openebs-ndm,openebs.io/component-name=ndm,openebs.io/version=3.9.0,pod-template-generation=1,release=openebs
openebs-ndm-4wl7k                                                 1/1     Running   0             82m   app=openebs,component=ndm,controller-revision-hash=b74b66f7d,name=openebs-ndm,openebs.io/component-name=ndm,openebs.io/version=3.9.0,pod-template-generation=1,release=openebs
openebs-ndm-lk4dj                                                 1/1     Running   0             82m   app=openebs,component=ndm,controller-revision-hash=b74b66f7d,name=openebs-ndm,openebs.io/component-name=ndm,openebs.io/version=3.9.0,pod-template-generation=1,release=openebs
openebs-ndm-operator-79d7f69c95-p9z5v                             1/1     Running   0             82m   app=openebs,component=ndm-operator,name=ndm-operator,openebs.io/component-name=ndm-operator,openebs.io/version=3.9.0,pod-template-hash=79d7f69c95,release=openebs
openebs-nfs-provisioner-6f579d65cd-9wq2l                          1/1     Running   3 (63m ago)   78m   app=nfs-provisioner,chart=nfs-provisioner-0.10.0,component=nfs-provisioner,heritage=Helm,name=openebs-nfs-provisioner,openebs.io/component-name=openebs-nfs-provisioner,openebs.io/version=0.10.0,pod-template-hash=6f579d65cd,release=openebs
pvc-2723cbd5-5817-4580-ab9f-988bb6466be6-target-57f8d48955c67mf   3/3     Running   0             78m   app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=nfs-pvc-6011f1fc-49e6-4c0b-a6a7-b2d2f6208e81,openebs.io/persistent-volume=pvc-2723cbd5-5817-4580-ab9f-988bb6466be6,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=57f8d48955
pvc-2b479f7a-36d0-4925-aceb-197e28696966-target-68dfb4d5f7km7sp   3/3     Running   0             55m   app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=prometheus-user-workload-db-prometheus-user-workload-0,openebs.io/persistent-volume=pvc-2b479f7a-36d0-4925-aceb-197e28696966,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=68dfb4d5f7
pvc-3185c17b-953a-4276-9376-8cfc63ba5645-target-54bf95b4d8ththj   3/3     Running   0             71m   app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=elasticsearch-elasticsearch-cdm-kluat893-3,openebs.io/persistent-volume=pvc-3185c17b-953a-4276-9376-8cfc63ba5645,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=54bf95b4d8
pvc-4729e96f-ad29-4ea9-91b7-c59b62a1f7c3-target-57ffdc755976n8w   3/3     Running   0             56m   app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=thanos-ruler-user-workload-data-thanos-ruler-user-workload-1,openebs.io/persistent-volume=pvc-4729e96f-ad29-4ea9-91b7-c59b62a1f7c3,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=57ffdc7559
pvc-6c6112a2-a80a-4c2a-a31f-536879e88e98-target-c49f765fb-sdpmb   3/3     Running   0             55m   app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=prometheus-k8s-db-prometheus-k8s-1,openebs.io/persistent-volume=pvc-6c6112a2-a80a-4c2a-a31f-536879e88e98,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=c49f765fb
pvc-846a3630-175e-4a3d-898a-a6f8c65a8df3-target-f7fbc949-cswzf    3/3     Running   0             71m   app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=elasticsearch-elasticsearch-cdm-kluat893-2,openebs.io/persistent-volume=pvc-846a3630-175e-4a3d-898a-a6f8c65a8df3,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=f7fbc949
pvc-87d3e0ad-9423-4400-877e-80f555b0e4e0-target-86cc6497f52jrw5   3/3     Running   0             71m   app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=elasticsearch-elasticsearch-cdm-kluat893-1,openebs.io/persistent-volume=pvc-87d3e0ad-9423-4400-877e-80f555b0e4e0,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=86cc6497f5
pvc-95ddb76a-6c29-449e-a907-486e006bb041-target-86bd8967bd9mb9g   3/3     Running   0             56m   app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=thanos-ruler-user-workload-data-thanos-ruler-user-workload-0,openebs.io/persistent-volume=pvc-95ddb76a-6c29-449e-a907-486e006bb041,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=86bd8967bd
pvc-9853daf6-4a8b-4b47-a5aa-e06459a95df2-target-866c7b5fcbdbrms   3/3     Running   0             55m   app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=prometheus-k8s-db-prometheus-k8s-0,openebs.io/persistent-volume=pvc-9853daf6-4a8b-4b47-a5aa-e06459a95df2,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=866c7b5fcb
pvc-cfaf271c-fc86-4172-9649-123d749eb6b1-target-79c7b8c8459l54q   3/3     Running   0             55m   app=cstor-volume-manager,monitoring=volume_exporter_prometheus,openebs.io/persistent-volume-claim=prometheus-user-workload-db-prometheus-user-workload-1,openebs.io/persistent-volume=pvc-cfaf271c-fc86-4172-9649-123d749eb6b1,openebs.io/target=cstor-target,openebs.io/version=3.5.0,pod-template-hash=79c7b8c845
[admin@bastion ~]$

• Kubernetes version (use kubectl version):

[admin@bastion ~]$ oc version
Client Version: 4.13.22
Kustomize Version: v4.5.7
Server Version: 4.13.22
Kubernetes Version: v1.26.9+636f2be

• Cloud provider or hardware configuration:

Baremetal based OpenShift 4.13.22 cluster 

• OS (e.g: cat /etc/os-release):

Red Hat Enterprise Linux CoreOS 413.92.202311061658-0 (Plow)

• kernel (e.g: uname -a):

Linux infra02.dev1.ocp4.baremetal.xyz 5.14.0-284.40.1.el9_2.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Nov 1 10:30:09 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux

• others: