We're trying to use buildah to automate builds for our container images in Hyperscale, but it looks like we need some special permission for avoid uid issues. I tried doing it myself and it failed:
oc adm policy add-scc-to-user anyuid -z buildah-sa
Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io "system:openshift:scc:anyuid" is forbidden: User "email@example.com" cannot get resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
Could you please enable this on our account? See https://pagure.io/centos-sig-hyperscale/containers-releng/pull-request/4#comment-173650 for more details. Thanks!
Metadata Update from @zlopez:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: low-trouble, medium-gain
I have run that command successfully. Let me know if it needs any more
Hi, thanks for your help, unfortunately I can't make it work, I created a deployment config that uses the buildah-sa service account and when I check the pod's YAML it shows
apparently this service account still not have the anyid scc enabled
@mobrien any update on this?
Apologies for the delay, the buildah-sa scc seemed to be no longer there for some reason.
I recreated it using this doc https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-build.md#create-service-account-for-building-images and gave it perms
[ocpadm@n4-138 ~]$ oc adm policy add-scc-to-user anyuid -z buildah-sa
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:anyuid added: "buildah-sa"
@mobrien still not working :(
Not sure but maybe is another account with the same name in another project?
Because if I list the service accounts under hyperscale project I can see the buildah-sa account that I created before and not the new one (this one is 44 days old and has no anyuid perms)
$ oc get sa
NAME SECRETS AGE
buildah-sa 2 44d
builder 2 483d
default 2 483d
deployer 2 483d
jenkins 2 436d
Make sure the recreated service account is under the hyperscale namespace
$ oc describe sa buildah-sa
Image pull secrets: buildah-sa-dockercfg-8sllk
Mountable secrets: buildah-sa-dockercfg-8sllk
You could try to list the service accounts under the hyperscale project and check if you can see the buildah-sa with the same fields as above and give the perms
I went through this again, I think I did make a mistake with the namespace the previous time so hopefully all should be working now. Apologies for the delay on this
Now is working, thanks!
Metadata Update from @arrfab:
- Issue close_status updated to: Fixed with Explanation
- Issue status updated to: Closed (was: Open)
to comment on this ticket.