Comments (5)
Hello @waldner! We've always set use_endpoints: true
in v5 and have plenty of users running on Openshift, so you don't have to set use_endpoints
to false, but I do think there are a couple of things you must do to avoid this issue. The first is add create
permissions for the endpoints
and endpoints/restricted
resources in your RBAC, which you can see we've done in our examples here and here. Another thing is that your pods should not be running in any of Openshift's default namespaces. From the Openshift docs:
You cannot assign a SCC to pods created in one of the default namespaces: default, kube-system, kube-public, openshift-node, openshift-infra, openshift. These namespaces should not be used for running pods or services.
There might even be other things, but let's start there. Can you check these things? If you've got the correct RBAC and you're not running pods in a default namespace, please answer a few questions: What version of Openshift are you using? What version of CPK? Can you send PGO logs?
from postgres-operator.
I'm not running in the default namespace, however now I've checked the manifests and I've noticed that the PostgresCluster
object has openshift: false
(to be investigated why). Could it be the source of the problem?
from postgres-operator.
Indeed removing openshift: false
makes the database container work, however now I'm hitting this one: #3707 (it worked before, probably due to the openshift: false
setting). And indeed I see that the pod is running with the anyuid
SCC instead of the restricted
one. I don't have permissions to change the policies themselves.
EDIT: this is due to the default
service account being bound to the anyuid
SCC policy (probably as a workaround to make something else work...I'll find out the details but I'd rather not touch this now). At the same time, I see that it's not possible to use a service account other than default
for this pod (see #2749).
Any easy way out of the mess?
from postgres-operator.
Hi @waldner. I wanted to reach out and see if you are still having this issue. One quick suggestion would be to explicitly set openshift: true
just in case for some reason it's not being set correctly by default (as mentioned in this troubleshooting section of the documentation. Beyond that, the SCC configuration you described does sound like it would take more digging to determine the best path forward. Have you tried creating a fresh Postgres cluster from scratch and seeing if that comes up as expected?
from postgres-operator.
Since we haven't heard back on this issue for some time, I am closing this issue. If you need further assistance, feel free to re-open this issue or ask a question in our Discord server.
from postgres-operator.
Related Issues (20)
- closed HOT 3
- Adding extension mysql_fdw to postgres-gis HOT 2
- How to limit or prevent the impact HOT 3
- pgbackrest backup fails with ERROR: [082]: WAL segment 000001B000000AF80000009B was not archived before the 60000ms timeout HOT 2
- Issue with the makefile
- Default requests/limits for containers in PostgresCluster CR HOT 3
- Deploying replication slots HOT 2
- Postgres Major Version Upgrade connection to server on socket "/pgdata/.s.PGSQL.50432" failed: FATAL: could not access file "zombodb.so": No such file or directory HOT 2
- UnableToCreateStanzas warning with wrong address for backup repo pod HOT 1
- Add the postgrescluster helm chart to the OCI developer registry HOT 1
- Pgadmin URL is not working post adding userInterface in the PGO CRD. HOT 1
- `no pg_hba.conf entry for host` when cluster is being connected to from another namespace
- Install Decoderbufs Extension
- Unable to disable TLS effectively
- new pgadmin 7.8 in namespace scoped mode gives error ERROR\tpgadmin:\t'pinged' HOT 4
- Configuration for multi-master write and replication HOT 1
- Is TLS Rotation Supported? HOT 3
- Replica data file corrupted after restoring database from pg dump file (on primary pod) HOT 1
- PGO/PGBackrest reports "ServiceError: TLS error [1:337260938] dh key too small" when backing up to S3-compatible object storage HOT 2
- Not All Postgrescluster Resources Deleted on Helm Uninstall
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from postgres-operator.