Cannot set `use_endpoints: false` for PGO about postgres-operator HOT 5 CLOSED

Hello @waldner! We've always set use_endpoints: true in v5 and have plenty of users running on Openshift, so you don't have to set use_endpoints to false, but I do think there are a couple of things you must do to avoid this issue. The first is add create permissions for the endpoints and endpoints/restricted resources in your RBAC, which you can see we've done in our examples here and here. Another thing is that your pods should not be running in any of Openshift's default namespaces. From the Openshift docs:

You cannot assign a SCC to pods created in one of the default namespaces: default, kube-system, kube-public, openshift-node, openshift-infra, openshift. These namespaces should not be used for running pods or services.

There might even be other things, but let's start there. Can you check these things? If you've got the correct RBAC and you're not running pods in a default namespace, please answer a few questions: What version of Openshift are you using? What version of CPK? Can you send PGO logs?

from postgres-operator.

I'm not running in the default namespace, however now I've checked the manifests and I've noticed that the PostgresCluster object has openshift: false (to be investigated why). Could it be the source of the problem?

from postgres-operator.

Indeed removing openshift: false makes the database container work, however now I'm hitting this one: #3707 (it worked before, probably due to the openshift: false setting). And indeed I see that the pod is running with the anyuid SCC instead of the restricted one. I don't have permissions to change the policies themselves.

EDIT: this is due to the default service account being bound to the anyuid SCC policy (probably as a workaround to make something else work...I'll find out the details but I'd rather not touch this now). At the same time, I see that it's not possible to use a service account other than default for this pod (see #2749).

Any easy way out of the mess?

from postgres-operator.

Hi @waldner. I wanted to reach out and see if you are still having this issue. One quick suggestion would be to explicitly set openshift: true just in case for some reason it's not being set correctly by default (as mentioned in this troubleshooting section of the documentation. Beyond that, the SCC configuration you described does sound like it would take more digging to determine the best path forward. Have you tried creating a fresh Postgres cluster from scratch and seeing if that comes up as expected?

from postgres-operator.

Since we haven't heard back on this issue for some time, I am closing this issue. If you need further assistance, feel free to re-open this issue or ask a question in our Discord server.

from postgres-operator.