-
Notifications
You must be signed in to change notification settings - Fork 180
helm/2517 - Deis on OpenShift #856
Comments
Here's what I've done:
which is the most permissive role I can imagine, still only to get
I followed this, because I understood that OpenShift role based security has essentially merged with standard kube RBAC, so I guessed that either set of permissions would work. I don't really want to set the most permissive possible though, I'd love to understand why this just doesn't work. https://gist.github.com/mgoodness/bd887830cd5d483446cc4cd3cb7db09d |
I get the same results with https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/
|
Did you grant tiller RBAC permissions to create objects in the "myproject" namespace? That gist you posted earlier is only relevant if tiller is installed in the kube-system namespace. It looks like from your commands you deployed tiller in the "myproject" namespace. |
Oh! The OpenShift devs helped me out, two things I'm doing wrong...
I could see this was the case by looking at
So this didn't work: but this did work:
|
Did you make sure to install Workflow with RBAC permissions? You'll need to add |
Not sure about the other issues. We don't officially support Workflow on Openshift, but please continue to post here so others can learn. |
You have been so helpful. Thank you! I did not do that. |
This big "MISSING" at the bottom looks kind of ominous... those are my RBAC roles, and I'm guessing that Missing means they're using a resource kind that I don't have on my cluster. Maybe I would have better luck with a newer OpenShift version...
|
... It is true, the OpenShift 3.4 security model had not yet started to merge with K8S RBAC because K8S was not fully baked when 3.4 was developed and released. That doesn't seem to be my problem anymore though. In 3.5 and 3.6, this should work fine. I'll test it out and add notes when I find out. If someone needs to use 3.4, there is probably a way to apply the permissions to the service accounts, but in my case it looks like the only reason I'm having problems is that I have an old |
Almost... there is a bridge for roles (OpenShift has its own role kinds that predate Kubernetes formal implementation of RBAC), but the connector goes the wrong way for what I'm trying to do:
So if you have OpenShift roles implemented, and you want to access them as Kubernetes roles, you can do it, but if you try the reverse you will know it didn't work because helm very helpfully tells you the state of these resources you created after install is There is supposedly a raw and fairly untested tool for doing the conversion of those resources and we are going to try it out against the output of |
these roles/bindings: and some combination of these scc settings:
will get you most of the way there, in the worst possible way... this still didn't quite work for me, most of the containers came up, but a few still didn't. It's a bit mysterious, but I'll try again today. Controller for instance, which was complaining about not being able to create a directory I'm saying this is the worst possible way because it's basically turning off all of the security, but I'll work on tightening it up for the PR once I figure out what's still missing! |
Hm. Today on a clean minishift, it works! I believe with no more information than I already had posted here. Waiting for Builder to come up...
... there are lots of things to work out after that, but it looks like I can use Deis Workflow on MiniShift now! That's great news, I love interchangeable parts. |
I have now deployed Workflow on OpenShift Origin as well as Minishift, and tackled some of the additional challenges that entails. I think mainly, the struggle came because this time I did not grant any privileges to ambiguous any-user They were all some subset of these serviceaccounts that required additional
My search history seems to indicate I also needed
at some point, or for some reason. These pods all needed cluster-admin I think mostly because on OpenShift, you can only enumerate namespaces if you have cluster-admin. (Edit: Perhaps there is a different endpoint that users can query to get all of their own namespaces, or projects as they're sometimes called in OpenShift) I'm not sure how we can provide CI validation for this for a release, I have cleaned my rough work up further into almost draft shape for a pull request, I am just running the deployment again onto my OpenShift/CentOS VM now to ensure the chart with rewritten roles, and a new value in values.yaml is still working as expected after I have adjusted it to fit within the template. Maybe a ten-minute YouTube video that starts from I predict a fork that is committed to supporting Deis Workflow on OpenShift and tracking maintenance as new Kube releases are tracked against OpenShift 😁 the one thing I have not yet figured out is what will allow telegraf to collect metrics, as I was able to communicate with InfluxDB from the logged-in grafana, and read the basic InfluxDB stats, and the stats from router; the interface worked but no CPU or Memory statistics were gathered, and I gather that is telegraf's job. |
I packed the changes up into one repo so they can be reviewed at-once, but https://github.com/kingdonb/openshift-deis/commits/openshift-deis-v2.17 I will unpack them into PRs on the affected I'll also need to touch base with someone else who has helm working on OpenShift realistically to get some kind of approval or review on this branch, since that is also not especially trivial or well documented. But it works! This can deploy Deis Workflow into a scratch project on OpenShift. I'll try hooking it up to #857 next, since I personally will need both. |
After a few weeks of upstream development, I went in to review this stuff and try porting it forward to the latest releases of everything (minishift, Deis, OpenShift Origin, all have had releases since 19 days ago...) I have created a new branch for openshift-deis-v2.18 so you can try release-2.17 and release-2.18, but in 2.17 I'm sure you may need to loosen the permissions model because I hadn't worked out most of the details when I put those changes in 3 weeks ago. It definitely "worked, mostly." I've figured out a little more specifically what privileges are needed in the 2.18 branch. |
Yep. The key is to make sure you get the order right. I've got almost everything coming up now, and I'm closing in on the last of the seemingly new problems I maybe created by upgrading (tl;dr: you'll see if you follow these instructions all the way down to the bottom that they're incomplete, controller and deis-monitor-telegraf both can't seem to come up properly even with all of the permissions I granted and scc rules I thought I relaxed... or did I?) These instructions "work" on a MacOS machine with Homebrew, installing Docker client v1.12.3 via DVM, with Minishift release v1.5.0 (which currently installs OpenShift v3.6.0 by default, which is roughly equivalent to Kubernetes v1.6.1): First get the right docker client version (which matches the Docker provided by Minishift) this is important for reasons I do not fully understand but, perhaps take it up with Minishift:
Then, start OpenShift via Minishift and plug Docker into it:
Create a project for Deis to live in, and get Helm up and running:
Grant a bunch of additional privileges that Deis needs on OpenShift... Give cluster-admin role to all of these deployments that have their own ServiceAccounts, since Deis will create namespaces, as well as manage and monitor all of the cluster's namespaces (projects):
Many Deis containers currently depend on being able to start with a root UID (and from what I could tell at first glance, some of them don't appear to have their own ServiceAccounts assigned yet):
At this stage because you haven't created any Router wants to be able to punch a hole to the outside network and open a listening port on the host, and OpenShift does not allow this without another scc... the hostnetwork scc:
Controller seems to need to be able to mount a HostPath volume and get access to So take care of that, and then grant your developer user some control and visibility into the project:
At this point you'd get an error already if tiller wasn't started, next log into the OpenShift dashboard at the URL you got when fixme belowThere need to be some eyes on all of what I've done above to ensure that it's granting the least required privilege. I also wasn't able to figure out how to put any of the above into YAML files which we could gate similarly to the modified roles and clusterroles we have already through the If you run into problems and want to do
Scratch space below...
|
The result is now (running tally of unresolved errors looks like): Deis Controller deploy logs
Deis Monitor Telegraf daemonset logs
Deis BuilderIt probably is just failing its readiness check because the controller service is not answering yet... I'm going to go revisit all of the previous comments I left on this issue and delete any that can be subsumed by what I'm documenting here today. Then I think I'll go back and try with the previous versions, see if something has changed with how Minishift is handling HostDir volumes (since it looks like maybe it has? More likely I think than Deis added breaking changes in v2.18, but we'll see!) |
Rolling the stack back to Minishift v1.4.1 and Deis v2.17, I had much better results:
... wait a while, then ... See that all of the health checks are OK, across the board. Add a route to deis-router through the GUI so you can reach deis.[basedomain], register a user, create an app... pop into the Service definition and find out what nodeport has been assigned, so you can correct the Add your keys with Do Pop over to the Monitoring dashboard of Openshift and watch your build! Add another route to allow traffic into your app via OpenShift's router and Deis's router (or add a wildcard route for Unfortunately Otherwise I think everything still worked at this point (with the same stack I used 19 days ago.) Unfortunately this time I tried bringing up an example app (the ruby-sinatra buildpack example) and noticed that sadly, it does not come up. (Curious as it worked last time.)
Likely owing to RBAC differences in OpenShift that we discovered a few weeks ago, that I was much more aggressively tearing down and short-circuiting in order to see if I could make it work. You could easily work around this by disabling all of the nice security features. It's going to take at least another look or two in order to figure out the "least required privilege" settings and implement it properly. I don't know who to blame yet, but it obviously can't be Deis as running on OpenShift was never a supported configuration... amirite? Next step for me is to try the newer Deis release on the older MiniShift and vice versa, and see what else is different. |
FYI, in openshift 3.7, you'll be able to use kube RBAC objects directly. Prior to that, openshift RBAC objects controller authorization policy |
@liggitt Thanks! I see there's a new Minishift release an hour ago this A.M. too. I'd imagine we're always going to need to use OpenShift objects if we want to assign special scc privileges, like anyuid or hostnetwork, unless Kubernetes proper has (or grows) a similar protection that can be mapped to these scc's. I will go ahead and try with a 3.7.0-alpha build as well, if this can be simplified in newer versions that's great but I'm pretty sure there will remain enough differences that we're going to need more adjustments (and probably will always need a |
My first problem was that I had omitted Second problem was I wasn't understanding how roles and I added to my deployment and daemonset files for
Then, from the top:
Everything appears to come online now, almost without issue! You can assign the I haven't assigned any blanket I may have granted some privileges unnecessarily (I'll go back and clean it up... I'm not sure) I am still figuring out RBAC and will harden this up but it should probably not be needed to grant This is probably the worst thing that I've still done here, but it gets a little worse as you deploy your first app... A few problems to still address:
For now, make sure helm deploys the workflow chart into the The good news is, all of this works with each of the latest stable releases, of |
This issue was moved to teamhephy/workflow#5 |
I tried to launch Workflow on OpenShift and I have followed from helm/helm#2517 where it was explained how Helm can be used on OpenShift
Is this an issue with OpenShift or with Deis? My reading is that there is a resource kind that does not exist on OpenShift yet, that Deis leveraged on a high version of Kubernetes...
The text was updated successfully, but these errors were encountered: