Event Streams not installing due to Security Context Constraint (SCC) issues

Symptoms

Event Streams components report that an action is forbidden, stating that it is unable to validate against any security context constraint.

This could result in symptoms such as:

• Installation of the operator is pending and eventually times out.

  • Navigating to the Conditions section for the specific operator deployment under Workloads > Deployment will display a message similar to the following example:

    pods "eventstreams-cluster-operator-55d6f4cdf7-" is forbidden: unable to validate against any security context constraint: [spec.volumes[0]: Invalid value: "secret": secret volumes are not allowed to be used spec.volumes[1]: Invalid value: "secret": secret volumes are not allowed to be used]
    

• The installation of Event Streams instance is unsuccessful and the instance reports a Failed status.

  • The conditions field under status contains the following error message:

    Exceeded timeout of 300000ms while waiting for Pods resource
    light-insecure-zookeeper-0 in namespace es-1 to be ready
    

  • The status of the <name-of-the-es-instance>-zookeeper StrimziPodSet resource contains the following error message under the conditions field:

    pods "light-insecure-zookeeper-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": 
    Forbidden: not usable by user or serviceaccount, spec.volumes[3]: Invalid value: "secret": secret volumes are not allowed to be used,
    

• On a running instance of Event Streams, a pod that has bounced never comes back up.

  • Navigating to the Conditions section for the specific instance deployment under Workloads > Deployment will display a message similar to the following example:

    is forbidden: unable to validate against any security context constraint: [spec.initContainers[0].securityContext.readOnlyRootFilesystem: Invalid value: false: ReadOnlyRootFilesystem must be set to true spec.containers[0].securityContext.readOnlyRootFilesystem: Invalid value: false: ReadOnlyRootFilesystem must be set to true]
    

Causes

Event Streams has been tested with the default restricted-v2 Security Context Constraint (SCC) provided by the OpenShift Container Platform.

If a user or any other operator applies a custom SCC that removes permissions required by Event Streams, then this will cause issues.

Resolving the problem

Apply the custom Security Context Constraint (SCC) provided by IBM Event Automation to enable permissions required by the product.

To do this, edit the event-automation-scc.yaml file to add your namespace and apply it using oc tool as follows:

1. Edit the event-automation-scc.yaml and add the namespace where your Event Streams instance is installed.

2. Log in to your Red Hat OpenShift Container Platform as a cluster administrator by using the oc CLI (oc login).

3. Run the following command to apply the SCC:

   oc apply -f <custom_scc_file_path>
   

   For example:

   oc apply -f event-automation-scc.yaml