Error creating: pods "gitlab-nginx-ingress-controller-675bdb4f8-" is forbidden

raylamgitlab · October 10, 2022, 9:32pm

Installed GitLab Operator at OpeShift 4.10, the created instance has the following errors:

RS

gitlab-nginx-ingress-controller-675bdb4f8

3 minutes ago

Generated from replicaset-controller30 times in the last 1 hour

Error creating: pods “gitlab-nginx-ingress-controller-675bdb4f8-” is forbidden: unable to validate against any security context constraint: [provider “anyuid”: Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid value: 101: must be in the ranges: [1000730000, 1000739999], spec.containers[0].securityContext.capabilities.add: Invalid value: “NET_BIND_SERVICE”: capability may not be added, provider “nonroot”: Forbidden: not usable by user or serviceaccount, provider “hostmount-anyuid”: Forbidden: not usable by user or serviceaccount, provider “machine-api-termination-handler”: Forbidden: not usable by user or serviceaccount, provider “hostnetwork”: Forbidden: not usable by user or serviceaccount, provider “hostaccess”: Forbidden: not usable by user or serviceaccount, provider “rook-ceph”: Forbidden: not usable by user or serviceaccount, provider “node-exporter”: Forbidden: not usable by user or serviceaccount, provider “rook-ceph-csi”: Forbidden: not usable by user or serviceaccount, provider “privileged”: Forbidden: not usable by user or serviceaccount]

Please advise.

jasminstrkonjic · February 3, 2023, 11:30am

Hello,

this issue is still present.
I’m on okd 4.10 and have the same issue.
Did you found any workaround? Tried to to give anyuid and privileged permissions to service account, but no luck.

Any help would be appreciated.

jasminstrkonjic · February 15, 2023, 3:44pm

FYI you can find some workaround here Nginx ingress controller is deployed and runs with incorrect SCC when Routes are used OpenShift 4.10 (#762) · Issues · GitLab.org / Cloud Native / GitLab Operator · GitLab
But operator on okd 4.10 is still not working as expected, I have tested all scenarios, and no luck. We can just wait when community develop some solution…

raylamgitlab · May 10, 2023, 3:06pm

Try the follwing CR, it works for me, not using nginx-ingress but using route instead

GITLAB CR
kind: GitLab
apiVersion: apps.gitlab.com/v1beta1
metadata:
name: gitlab
namespace: gitlab-system
spec:
chart:
values:
certmanager:
install: false
# Disable NGINX Ingress Controller.
nginx-ingress:
enabled: false
global:
# Configure the domain from the previous step.
hosts:
domain: apps.mvpopenshift.com
ingress:
# Unset spec.ingressClassName on the Ingress objects
# so the OpenShift Router takes ownership.
class: none
annotations:
# The OpenShift documentation says “edge” is the default, but
# the TLS configuration is only passed to the Route if this annotation
# is manually set.
route.openshift.io/termination: “edge”
version: 6.10.3