Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Container creation fails for versions 0.11.1 and above #166

Closed
pjanouse opened this issue Dec 21, 2022 · 2 comments
Closed

Container creation fails for versions 0.11.1 and above #166

pjanouse opened this issue Dec 21, 2022 · 2 comments
Labels
bug Something isn't working

Comments

@pjanouse
Copy link

pjanouse commented Dec 21, 2022
edited
Loading

What happened?

HELM provider controller container creation fails with error
Error: failed to start container "provider-helm": Error response from daemon: OCI runtime create failed: container_linux.go:367: starting container process caused: chdir to cwd ("/home/nonroot") set in config.json failed: permission denied: unknown

Similar issue for provider-aws and for provider-kubernetes.

The last working release is v0.11.0 and the current last release (v0.12.0) is still affected.

How can we reproduce it?

  1. create Minikube cluster
  2. install Crossplane
  3. Add Helm provider

What environment did it happen in?

Crossplane version: 1.9.0, installed by Helm chart
k8s: Minikube with k8s v1.20.2
@pjanouse pjanouse added the bug Something isn't working label Dec 21, 2022
This was referenced Dec 21, 2022
Closed
Closed
@pjanouse
Copy link
Author

pjanouse commented Sep 6, 2023
edited
Loading

As reported similarly at crossplane-contrib/provider-aws#1786 (comment) and crossplane-contrib/provider-kubernetes#87 (comment), it seems my original issue was fixed over the time, so probably this provider-helm is also working right now (however untested).

@pjanouse pjanouse closed this as completed Sep 6, 2023
@eumel8
Copy link

eumel8 commented Mar 11, 2024

I ran into this issue with v0.17.0. It took a while to find out that happend if securityContext of the Pod is set different to 65532:

---
        securityContext:
          allowPrivilegeEscalation: false
          privileged: false
          runAsGroup: 2000
          runAsNonRoot: true
          runAsUser: 2000
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /tls/client
          name: tls-client-certs
          readOnly: true
        - mountPath: /tls/server
          name: tls-server-certs
          readOnly: true
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        runAsGroup: 2000
        runAsNonRoot: true
        runAsUser: 2000
      serviceAccount: crossplane-provider-helm-9b3930bc8c9d
....

This can be fixed with a DeploymentRuntimeConfig which is referenced in the Providers:

apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
  name: default
spec:
  deploymentTemplate:
    spec:
      selector: {}
      template:
        spec:
          containers:
          - name: package-runtime
            securityContext:
              allowPrivilegeEscalation: false
              privileged: false
              runAsGroup: 65532
              runAsNonRoot: true
              runAsUser: 65532
          securityContext:
            runAsGroup: 65532
            runAsNonRoot: true
            runAsUser: 65532

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pjanouse @eumel8