Ensure etcd stateful set has required capabilities to run on OpenShift (

#2069) Summary: Ensure etcd stateful set has required capabilities to run on OpenShift When using the etcd metadata store on an Openshift cluster, the container gets stuck in its start up script and continuously prints the following error. ``` Waiting for pl-etcd-1.pl-etcd.pl to come up ping: permission denied (are you root?) Waiting for pl-etcd-1.pl-etcd.pl to come up ping: permission denied (are you root?) ``` The etcd stateful set requires an additional capability, which was missed when the other services had stricter security context settings added. This change also requires the following `SecurityContextConstraints` changes (pixie-io/docs.px.dev#292) Relevant Issues: N/A Type of change: /kind bug Test Plan: Deployed the non-operator version of Pixie to an Openshift cluster and verified etcd is scheduled now - [x] Verified etcd metadata deployment with these changes works on GKE cluster Changelog Message: Fixed an issue where the etcd metadata store wouldn't schedule on Openshift clusters Signed-off-by: Dom Del Nano <[email protected]>
pixie-io · Dec 23, 2024 · 73c8340 · 73c8340
1 parent b7319d1
commit 73c8340
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/k8s/vizier_deps/base/etcd/etcd_statefulset.yaml b/k8s/vizier_deps/base/etcd/etcd_statefulset.yaml
@@ -106,6 +106,12 @@ spec:
           periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 5
+          securityContext:
+            capabilities:
+              add:
+              - NET_RAW
+            seccompProfile:
+              type: RuntimeDefault
         volumeMounts:
         - mountPath: /var/run/etcd
           name: etcd-data
@@ -132,6 +138,9 @@ spec:
           secretName: etcd-client-tls-certs
       - emptyDir: {}
         name: etcd-data
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       tolerations:
       - key: "kubernetes.io/arch"
         operator: "Equal"