#840 enable rootless buildah builds on OpenShift
Closed: Fixed with Explanation a month ago by arrfab. Opened 3 months ago by dcavalca.

We're trying to use buildah to automate builds for our container images in Hyperscale, but it looks like we need some special permission for avoid uid issues. I tried doing it myself and it failed:

oc adm policy add-scc-to-user anyuid -z buildah-sa 
Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io "system:openshift:scc:anyuid" is forbidden: User "dcavalca@fb.com" cannot get resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope

Could you please enable this on our account? See https://pagure.io/centos-sig-hyperscale/containers-releng/pull-request/4#comment-173650 for more details. Thanks!


Metadata Update from @zlopez:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: low-trouble, medium-gain

3 months ago

I have run that command successfully. Let me know if it needs any more

Hi, thanks for your help, unfortunately I can't make it work, I created a deployment config that uses the buildah-sa service account and when I check the pod's YAML it shows

kind: Pod
metadata:
  ...
  openshift.io/scc: restricted
...

instead of

kind: Pod
metadata:
  ...
  openshift.io/scc: anyuid
...

apparently this service account still not have the anyid scc enabled

Apologies for the delay, the buildah-sa scc seemed to be no longer there for some reason.

I recreated it using this doc https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-build.md#create-service-account-for-building-images and gave it perms

[ocpadm@n4-138 ~]$ oc adm policy add-scc-to-user anyuid -z buildah-sa
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:anyuid added: "buildah-sa"

@mobrien still not working :(

Not sure but maybe is another account with the same name in another project?
Because if I list the service accounts under hyperscale project I can see the buildah-sa account that I created before and not the new one (this one is 44 days old and has no anyuid perms)

$ oc get sa
NAME         SECRETS   AGE
buildah-sa   2         44d
builder      2         483d
default      2         483d
deployer     2         483d
jenkins      2         436d

Make sure the recreated service account is under the hyperscale namespace

$ oc describe sa buildah-sa
Name:                buildah-sa
Namespace:           hyperscale
Labels:              <none>
Annotations:         <none>
Image pull secrets:  buildah-sa-dockercfg-8sllk
Mountable secrets:   buildah-sa-dockercfg-8sllk
                     buildah-sa-token-wx27w
Tokens:              buildah-sa-token-wdn86
                     buildah-sa-token-wx27w
Events:              <none>

You could try to list the service accounts under the hyperscale project and check if you can see the buildah-sa with the same fields as above and give the perms

I went through this again, I think I did make a mistake with the namespace the previous time so hopefully all should be working now. Apologies for the delay on this

Now is working, thanks!

Metadata Update from @arrfab:
- Issue close_status updated to: Fixed with Explanation
- Issue status updated to: Closed (was: Open)

a month ago

Login to comment on this ticket.

Metadata