We're trying to use buildah to automate builds for our container images in Hyperscale, but it looks like we need some special permission for avoid uid issues. I tried doing it myself and it failed:
oc adm policy add-scc-to-user anyuid -z buildah-sa Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io "system:openshift:scc:anyuid" is forbidden: User "dcavalca@fb.com" cannot get resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
Could you please enable this on our account? See https://pagure.io/centos-sig-hyperscale/containers-releng/pull-request/4#comment-173650 for more details. Thanks!
Metadata Update from @zlopez: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: low-trouble, medium-gain
I have run that command successfully. Let me know if it needs any more
Hi, thanks for your help, unfortunately I can't make it work, I created a deployment config that uses the buildah-sa service account and when I check the pod's YAML it shows
kind: Pod metadata: ... openshift.io/scc: restricted ...
instead of
kind: Pod metadata: ... openshift.io/scc: anyuid ...
apparently this service account still not have the anyid scc enabled
@mobrien any update on this?
Apologies for the delay, the buildah-sa scc seemed to be no longer there for some reason.
I recreated it using this doc https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-build.md#create-service-account-for-building-images and gave it perms
[ocpadm@n4-138 ~]$ oc adm policy add-scc-to-user anyuid -z buildah-sa clusterrole.rbac.authorization.k8s.io/system:openshift:scc:anyuid added: "buildah-sa"
@mobrien still not working :(
Not sure but maybe is another account with the same name in another project? Because if I list the service accounts under hyperscale project I can see the buildah-sa account that I created before and not the new one (this one is 44 days old and has no anyuid perms)
$ oc get sa NAME SECRETS AGE buildah-sa 2 44d builder 2 483d default 2 483d deployer 2 483d jenkins 2 436d
Make sure the recreated service account is under the hyperscale namespace
$ oc describe sa buildah-sa Name: buildah-sa Namespace: hyperscale Labels: <none> Annotations: <none> Image pull secrets: buildah-sa-dockercfg-8sllk Mountable secrets: buildah-sa-dockercfg-8sllk buildah-sa-token-wx27w Tokens: buildah-sa-token-wdn86 buildah-sa-token-wx27w Events: <none>
You could try to list the service accounts under the hyperscale project and check if you can see the buildah-sa with the same fields as above and give the perms
I went through this again, I think I did make a mistake with the namespace the previous time so hopefully all should be working now. Apologies for the delay on this
Now is working, thanks!
Metadata Update from @arrfab: - Issue close_status updated to: Fixed with Explanation - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.