mayastor: default installation results in warnings; CRD's missing

on a fresh set up cluster:

  • helm repo add mayastor https://openebs.github.io/mayastor-extensions/
  • helm install mayastor mayastor/mayastor -n mayastor --create-namespace --version 2.3.0 Output:
W0726 08:59:44.637192   10122 warnings.go:70] would violate PodSecurity "restricted:latest": restricted volume types (volumes "run", "containers", "pods" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "promtail" must set securityContext.runAsNonRoot=true), runAsUser=0 (pod must not set runAsUser=0), seccompProfile (pod or container "promtail" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0726 08:59:44.638252   10122 warnings.go:70] would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true), hostPort (containers "metrics-exporter-pool", "io-engine" use hostPorts 10124, 9502), privileged (container "io-engine" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "agent-core-grpc-probe", "etcd-probe", "metrics-exporter-pool", "io-engine" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "agent-core-grpc-probe", "etcd-probe", "metrics-exporter-pool", "io-engine" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "device", "udev", "configlocation" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "agent-core-grpc-probe", "etcd-probe", "metrics-exporter-pool", "io-engine" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "agent-core-grpc-probe", "etcd-probe", "metrics-exporter-pool", "io-engine" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0726 08:59:44.638422   10122 warnings.go:70] would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true), hostPort (container "agent-ha-node" uses hostPort 50053), privileged (container "agent-ha-node" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "agent-cluster-grpc-probe", "agent-ha-node" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "agent-cluster-grpc-probe", "agent-ha-node" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "device", "sys", "run-udev", "plugin-dir" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "agent-cluster-grpc-probe", "agent-ha-node" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "agent-cluster-grpc-probe", "agent-ha-node" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0726 08:59:44.640310   10122 warnings.go:70] would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true), hostPort (container "csi-driver-registrar" uses hostPort 10199), privileged (container "csi-node" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "csi-node", "csi-driver-registrar" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "csi-node", "csi-driver-registrar" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "device", "sys", "run-udev", "registration-dir", "plugin-dir", "kubelet-dir" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "csi-node", "csi-driver-registrar" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "csi-node", "csi-driver-registrar" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0726 08:59:44.666222   10122 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "agent-core-grpc-probe", "etcd-probe", "operator-diskpool" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "agent-core-grpc-probe", "etcd-probe", "operator-diskpool" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "agent-core-grpc-probe", "etcd-probe", "operator-diskpool" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "agent-core-grpc-probe", "etcd-probe", "operator-diskpool" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0726 08:59:44.668840   10122 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "etcd-probe", "agent-core", "agent-ha-cluster" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "etcd-probe", "agent-core", "agent-ha-cluster" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "etcd-probe", "agent-core", "agent-ha-cluster" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "etcd-probe", "agent-core", "agent-ha-cluster" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0726 08:59:44.668890   10122 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "agent-core-grpc-probe", "etcd-probe", "api-rest" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "agent-core-grpc-probe", "etcd-probe", "api-rest" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "agent-core-grpc-probe", "etcd-probe", "api-rest" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "agent-core-grpc-probe", "etcd-probe", "api-rest" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0726 08:59:44.669231   10122 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "obs-callhome", "obs-callhome-stats" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "obs-callhome", "obs-callhome-stats" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "obs-callhome", "obs-callhome-stats" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "obs-callhome", "obs-callhome-stats" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0726 08:59:44.677145   10122 warnings.go:70] would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true), allowPrivilegeEscalation != false (containers "api-rest-probe", "csi-provisioner", "csi-attacher", "csi-snapshotter", "csi-snapshot-controller", "csi-controller" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "api-rest-probe", "csi-provisioner", "csi-attacher", "csi-snapshotter", "csi-snapshot-controller", "csi-controller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "api-rest-probe", "csi-provisioner", "csi-attacher", "csi-snapshotter", "csi-snapshot-controller", "csi-controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "api-rest-probe", "csi-provisioner", "csi-attacher", "csi-snapshotter", "csi-snapshot-controller", "csi-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0726 08:59:44.698508   10122 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "volume-permissions", "loki" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "volume-permissions", "loki" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod must not set securityContext.runAsNonRoot=false), runAsUser=0 (container "volume-permissions" must not set runAsUser=0), seccompProfile (pod or containers "volume-permissions", "loki" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0726 08:59:44.705273   10122 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "volume-permissions" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "volume-permissions", "etcd" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "volume-permissions" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "volume-permissions" must not set runAsUser=0), seccompProfile (pod or containers "volume-permissions", "etcd" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  • kubectl --kubeconfig ../kubeconfig get pods -n mayastor Output:
NAME                                          READY   STATUS     RESTARTS   AGE
mayastor-agent-core-7c45b7b6c4-9z5b6          0/2     Init:0/1   0          10m
mayastor-agent-ha-node-5b59v                  0/1     Init:0/1   0          10m
mayastor-agent-ha-node-l4htt                  0/1     Init:0/1   0          10m
mayastor-agent-ha-node-zx6t4                  0/1     Init:0/1   0          10m
mayastor-api-rest-754644d4cb-2fgkf            0/1     Init:0/2   0          10m
mayastor-csi-controller-5bbb99bf6-d7dh9       0/5     Init:0/1   0          10m
mayastor-csi-node-2gjhf                       2/2     Running    0          10m
mayastor-csi-node-8xml7                       2/2     Running    0          10m
mayastor-csi-node-pbxqh                       2/2     Running    0          10m
mayastor-etcd-0                               0/1     Pending    0          10m
mayastor-etcd-1                               0/1     Pending    0          10m
mayastor-etcd-2                               0/1     Pending    0          10m
mayastor-io-engine-9cvbd                      0/2     Pending    0          10m
mayastor-io-engine-mvbtf                      0/2     Pending    0          10m
mayastor-io-engine-t6hcf                      0/2     Pending    0          10m
mayastor-loki-0                               0/1     Pending    0          10m
mayastor-obs-callhome-c76f65bd9-4ll8p         2/2     Running    0          10m
mayastor-operator-diskpool-5955fcd645-nr67v   0/1     Init:0/2   0          10m
mayastor-promtail-djhxp                       1/1     Running    0          10m
mayastor-promtail-k8rk7                       1/1     Running    0          10m
mayastor-promtail-prgch                       1/1     Running    0          10m
  • kubectl --kubeconfig ../kubeconfig get dsp -n mayastor Output:
error: the server doesn't have a resource type "dsp"
  • kubectl --kubeconfig ../kubeconfig -n mayastor get msp Output:
error: the server doesn't have a resource type "msp"

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 28 (13 by maintainers)

Most upvoted comments

Yeah so that’s not what we want to do here, please undo that change for now. For Mayastor volumes there’s no correlation at all. But, mayastor itself makes use of its own etcd cluster, as well as a loki instance for logs collection (useful to generate support bundle) and these two things need storage. We use 3rd party helm charts for this, which consume storage via a StorageClass! And this is the storage class we need to give our helm chart when installing mayastor as by default it uses the default storage class IIRC. @Abhinandan-Purkait @avishnu I think we probably need to clarify this in the docs, if it’s not already.

+2
tiagolobocastro on Jul 26, 2023
Read more comments on GitHub
← lvm-localpv: Volumes go missing.
mayastor: Kernel panic on 6.1.14 in nvme_tcp →