The error "unable to validate against any security context constraint" occurs when a statefulset application is installed in OCP

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform
    • 4.12

Issue

The error "unable to validate against any security context constraint" occurs when a statefulset application is installed in OCPapplication in OCP

$ oc get statefulset
NAME              READY   AGE
<statefule_name>                0/1     10m
$ oc get statefulset <statefule_name>  -oyaml|grep serviceAccount
      serviceAccount: default
      serviceAccountName: default

$ oc get events
5h16m       Warning   FailedCreate         statefulset/<statefule_name>
create Pod <pod-name> in StatefulSet <statefule_name> failed error: pods "<pod-name>" is forbidden: unable to validate against any security context constraint: 
[provider "anyuid": Forbidden: not usable by user or serviceaccount, 
provider "stackrox-admission-control": Forbidden: not usable by user or serviceaccount, 
provider "stackrox-sensor": Forbidden: not usable by user or serviceaccount, 
provider "stackrox-central": Forbidden: not usable by user or serviceaccount, spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, 
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, 
provider "nonroot": Forbidden: not usable by user or serviceaccount, 
provider "noobaa": Forbidden: not usable by user or serviceaccount, 
provider "noobaa-endpoint": Forbidden: not usable by user or serviceaccount, 
provider "stackrox-central-db": Forbidden: not usable by user or serviceaccount, 
provider "stackrox-scanner": Forbidden: not usable by user or serviceaccount, 
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, 
provider "elasticsearch-scc": Forbidden: not usable by user or serviceaccount, 
provider "log-collector-scc": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, 
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, 
provider "hostnetwork": Forbidden: not usable by user or serviceaccount, 
provider "hostaccess": Forbidden: not usable by user or serviceaccount, 
provider "ocs-metrics-exporter": Forbidden: not usable by user or serviceaccount, 
provider "stackrox-collector": Forbidden: not usable by user or serviceaccount, 
provider "rook-ceph": Forbidden: not usable by user or serviceaccount, 
provider "node-exporter": Forbidden: not usable by user or serviceaccount, 
provider "rook-ceph-csi": Forbidden: not usable by user or serviceaccount,
 provider "privileged": Forbidden: not usable by user or serviceaccount]

Resolution

1 Check which serviceAccount the statefulset application is using.

$ oc get statefulset <statefule_name>  -oyaml|grep serviceAccount
      serviceAccount: default
      serviceAccountName: default

2 Check which securitycontextconstraints the statefulset application requires

$ oc  get statefulset <statefule_name> -oyaml | oc adm policy scc-subject-review  --filename -
RESOURCE          ALLOWED BY         
StatefulSet/<statefule_name>    hostmount-anyuid

3 Add the hostmount-anyuid securitycontextconstraints to serviceAccount.

$ oc policy add-scc-to-user hostmount-anyuid -z default

Root Cause

If the correct securitycontextconstraints are missing, the statefulset application cannot be set up.

Diagnostic Steps

$ oc get statefulset
NAME              READY   AGE
<statefule_name>                0/1     10m

$ oc get events
10m       Warning   FailedCreate         statefulset/<statefule_name>
create Pod <pod-name> in StatefulSet <statefule_name> failed error: pods "<pod-name>" is forbidden: unable to validate against any security context constraint: 
[provider "anyuid": Forbidden: not usable by user or serviceaccount, 
provider "stackrox-admission-control": Forbidden: not usable by user or serviceaccount, 
provider "stackrox-sensor": Forbidden: not usable by user or serviceaccount, 
provider "stackrox-central": Forbidden: not usable by user or serviceaccount, spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, 
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, 
provider "nonroot": Forbidden: not usable by user or serviceaccount, 
provider "noobaa": Forbidden: not usable by user or serviceaccount, 
provider "noobaa-endpoint": Forbidden: not usable by user or serviceaccount, 
provider "stackrox-central-db": Forbidden: not usable by user or serviceaccount, 
provider "stackrox-scanner": Forbidden: not usable by user or serviceaccount, 
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, 
provider "elasticsearch-scc": Forbidden: not usable by user or serviceaccount, 
provider "log-collector-scc": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, 
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, 
provider "hostnetwork": Forbidden: not usable by user or serviceaccount, 
provider "hostaccess": Forbidden: not usable by user or serviceaccount, 
provider "ocs-metrics-exporter": Forbidden: not usable by user or serviceaccount, 
provider "stackrox-collector": Forbidden: not usable by user or serviceaccount, 
provider "rook-ceph": Forbidden: not usable by user or serviceaccount, 
provider "node-exporter": Forbidden: not usable by user or serviceaccount, 
provider "rook-ceph-csi": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments