Which component:
The name (and version) of the affected component (controller or kubeseal)
controller v0.28.0
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
The Problem is that the default controller.yaml have runAsUser and fsGroup which do not work on OpenShift when anyuid is not allowed and no fsGroup is setuped.
You will get this message
72s Warning FailedCreate replicaset/sealed-secrets-controller-6979bd8b68 Error creating: pods "sealed-secrets-controller-6979bd8b68-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "pipelines-scc": Forbidden: not usable by user or serviceaccount, provider "run-as-ray-user": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{65534}: 65534 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1001: must be in the ranges: [1001090000, 1001099999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot":
Describe the solution you'd like
A clear and concise description of what you want to happen.
The controller should run 😄
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
I have solved the issue with this command.
curl -sSL https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.28.0/controller.yaml |\
sed -E '/.*(fsGroup|runAsUser):.*/d' | oc apply -f -
In case the sealed-secrets controller should not run in kube-system can you add another sed, this requiers that the namespace sealed-secrets is created before the apply.
curl -sSL https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.28.0/controller.yaml |\
sed 's/namespace: kube-system/namespace: sealed-secrets/g' | sed -E '/.*(fsGroup|runAsUser):.*/d' |\
oc apply -f -
Additional context
Add any other context or screenshots about the feature request here.
I think this could be also a solution for #1119
I think this info could be added into the README.
Which component:
The name (and version) of the affected component (controller or kubeseal)
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
The Problem is that the default
controller.yamlhaverunAsUserandfsGroupwhich do not work on OpenShift whenanyuidis not allowed and nofsGroupis setuped.You will get this message
Describe the solution you'd like
A clear and concise description of what you want to happen.
The controller should run 😄
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
I have solved the issue with this command.
In case the sealed-secrets controller should not run in
kube-systemcan you add anothersed, this requiers that the namespacesealed-secretsis created before the apply.Additional context
Add any other context or screenshots about the feature request here.
I think this could be also a solution for #1119
I think this info could be added into the README.