Symptoms
Event Streams components report that an action is forbidden, stating that it is unable to validate against any security context constraint.
This could result in symptoms such as:
-
Installation of the operator is pending and eventually times out.
- Navigating to the Conditions section for the specific operator deployment under Workloads > Deployment will display a message similar to the following example:
pods "eventstreams-cluster-operator-55d6f4cdf7-" is forbidden: unable to validate against any security context constraint: [spec.volumes[0]: Invalid value: "secret": secret volumes are not allowed to be used spec.volumes[1]: Invalid value: "secret": secret volumes are not allowed to be used]
- Navigating to the Conditions section for the specific operator deployment under Workloads > Deployment will display a message similar to the following example:
-
Creating an instance of Event Streams is pending and eventually times out.
- Navigating to the Events tab for the specific instance stateful set under Workloads > Stateful Sets displays a message similar to the following example:
create Pod quickstart-zookeeper-0 in StatefulSet quickstart-zookeeper failed error: pods "quickstart-zookeeper-0" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.readOnlyRootFilesystem: Invalid value: false: ReadOnlyRootFilesystem must be set to true]
- Navigating to the Events tab for the specific instance stateful set under Workloads > Stateful Sets displays a message similar to the following example:
-
On a running instance of Event Streams, a pod that has bounced never comes back up.
- Navigating to the Conditions section for the specific instance deployment under Workloads > Deployment will display a message similar to the following example:
is forbidden: unable to validate against any security context constraint: [spec.initContainers[0].securityContext.readOnlyRootFilesystem: Invalid value: false: ReadOnlyRootFilesystem must be set to true spec.containers[0].securityContext.readOnlyRootFilesystem: Invalid value: false: ReadOnlyRootFilesystem must be set to true]
- Navigating to the Conditions section for the specific instance deployment under Workloads > Deployment will display a message similar to the following example:
Causes
Event Streams has been tested with the default restricted Security Context Constraint (SCC) provided by the OpenShift Container Platform.
If a user or any other operator applies a custom SCC that removes permissions required by Event Streams, then this will cause issues.
Resolving the problem
Apply the custom Security Context Constraint (SCC) provided by IBM Event Automation to enable permissions required by the product.
To do this, edit the event-automation-scc.yaml file to add your namespace and apply it using oc tool as follows:
-
Edit the
event-automation-scc.yamland add the namespace where your Event Streams instance is installed. -
Log in to your Red Hat OpenShift Container Platform as a cluster administrator by using the
ocCLI (oc login). -
Run the following command to apply the SCC:
oc apply -f <custom_scc_file_path>For example:
oc apply -f event-automation-scc.yaml