Fix Openshift SecurityContextConstraints based on Vizier changes #291
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
✅ Deploy Preview for docs-px-dev ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
1 task
ddelnano
added a commit
to pixie-io/pixie
that referenced
this pull request
Nov 25, 2024
Summary: Update cli to detect OpenShift and provide notice to install SCC This updates `px deploy` to detect OpenShift clusters. In addition, it also prompts a user that they need to install a SecurityContextConstraint before continuing with the deployment. Note: the existing SCC instructions no longer work. I've raised pixie-io/docs.px.dev#291 and verified that a pixie deploy works properly with the updated instructions. Relevant Issues: N/A Type of change: /kind feature Test Plan: Verified the following with a locally built `px` cli - [x] deploy command prints appropriate message when KUBECONFIG set to OpenShift cluster ``` $ oc status Warning: apps.openshift.io/v1 DeploymentConfig is deprecated in v4.14+, unavailable in v4.10000+ In project default on server https://api.test-openshift.testing.getcosmic.ai:6443 svc/openshift - kubernetes.default.svc.cluster.local svc/kubernetes - 172.30.0.1:443 -> 6443 View details with 'oc describe <resource>/<name>' or list resources with 'oc get all'. $ ./px deploy Pixie CLI Running Cluster Checks: ✔ Kernel version > 4.14.0 ✔ Cluster type is supported ✔ K8s version > 1.16.0 ✔ Kubectl > 1.10.0 is present ✔ User can create namespace ✕ Cluster type is in list of known supported types ERR: openshift cluster detected. Please note that a Security Context Constraint (SCC) is required to run Pixie. Install a SCC in the namespace designated for ✕ Cluster type is in list of known supported types ERR: openshift cluster detected. Please note that a Security Context Constraint (SCC) is required to run Pixie. Install a SCC in the namespace designated for the Pixie install before continuing. See example on https://docs.px.dev/reference/admin/environment-configs/ Some cluster checks failed. Pixie may not work properly on your cluster. Continue with deploy? (y/n) [y] : ^C ``` - Verified that `oc status` returns with a non-zero exit status if KUBECONFIG points to a different k8s cluster ``` $ kubectl get nodes NAME STATUS ROLES AGE VERSION gke-dev-cluster-ddelnano-default-pool-a27c1ac2-fh3l Ready <none> 26d v1.30.5-gke.1014001 gke-dev-cluster-ddelnano-default-pool-a27c1ac2-qbqs Ready <none> 13d v1.30.5-gke.1014001 $ oc status; echo $? error: you do not have rights to view project "default" specified in your config or the project doesn't exist 1 ``` Changelog Message: Enhanced the `px` cli to detect OpenShift clusters and prompt to install the appropriate SecurityContextConstraints before proceeding with a deploy Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
Member
Author
|
@pixie-io/core-maintainers could you review this when you have the chance? |
vihangm
approved these changes
Dec 3, 2024
ddelnano
added a commit
to ddelnano/pixie
that referenced
this pull request
Dec 9, 2024
…ie-io#2048) Summary: Update cli to detect OpenShift and provide notice to install SCC This updates `px deploy` to detect OpenShift clusters. In addition, it also prompts a user that they need to install a SecurityContextConstraint before continuing with the deployment. Note: the existing SCC instructions no longer work. I've raised pixie-io/docs.px.dev#291 and verified that a pixie deploy works properly with the updated instructions. Relevant Issues: N/A Type of change: /kind feature Test Plan: Verified the following with a locally built `px` cli - [x] deploy command prints appropriate message when KUBECONFIG set to OpenShift cluster ``` $ oc status Warning: apps.openshift.io/v1 DeploymentConfig is deprecated in v4.14+, unavailable in v4.10000+ In project default on server https://api.test-openshift.testing.getcosmic.ai:6443 svc/openshift - kubernetes.default.svc.cluster.local svc/kubernetes - 172.30.0.1:443 -> 6443 View details with 'oc describe <resource>/<name>' or list resources with 'oc get all'. $ ./px deploy Pixie CLI Running Cluster Checks: ✔ Kernel version > 4.14.0 ✔ Cluster type is supported ✔ K8s version > 1.16.0 ✔ Kubectl > 1.10.0 is present ✔ User can create namespace ✕ Cluster type is in list of known supported types ERR: openshift cluster detected. Please note that a Security Context Constraint (SCC) is required to run Pixie. Install a SCC in the namespace designated for ✕ Cluster type is in list of known supported types ERR: openshift cluster detected. Please note that a Security Context Constraint (SCC) is required to run Pixie. Install a SCC in the namespace designated for the Pixie install before continuing. See example on https://docs.px.dev/reference/admin/environment-configs/ Some cluster checks failed. Pixie may not work properly on your cluster. Continue with deploy? (y/n) [y] : ^C ``` - Verified that `oc status` returns with a non-zero exit status if KUBECONFIG points to a different k8s cluster ``` $ kubectl get nodes NAME STATUS ROLES AGE VERSION gke-dev-cluster-ddelnano-default-pool-a27c1ac2-fh3l Ready <none> 26d v1.30.5-gke.1014001 gke-dev-cluster-ddelnano-default-pool-a27c1ac2-qbqs Ready <none> 13d v1.30.5-gke.1014001 $ oc status; echo $? error: you do not have rights to view project "default" specified in your config or the project doesn't exist 1 ``` Changelog Message: Enhanced the `px` cli to detect OpenShift clusters and prompt to install the appropriate SecurityContextConstraints before proceeding with a deploy Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
ddelnano
added a commit
to ddelnano/pixie
that referenced
this pull request
Aug 6, 2025
…ie-io#2048) Summary: Update cli to detect OpenShift and provide notice to install SCC This updates `px deploy` to detect OpenShift clusters. In addition, it also prompts a user that they need to install a SecurityContextConstraint before continuing with the deployment. Note: the existing SCC instructions no longer work. I've raised pixie-io/docs.px.dev#291 and verified that a pixie deploy works properly with the updated instructions. Relevant Issues: N/A Type of change: /kind feature Test Plan: Verified the following with a locally built `px` cli - [x] deploy command prints appropriate message when KUBECONFIG set to OpenShift cluster ``` $ oc status Warning: apps.openshift.io/v1 DeploymentConfig is deprecated in v4.14+, unavailable in v4.10000+ In project default on server https://api.test-openshift.testing.getcosmic.ai:6443 svc/openshift - kubernetes.default.svc.cluster.local svc/kubernetes - 172.30.0.1:443 -> 6443 View details with 'oc describe <resource>/<name>' or list resources with 'oc get all'. $ ./px deploy Pixie CLI Running Cluster Checks: ✔ Kernel version > 4.14.0 ✔ Cluster type is supported ✔ K8s version > 1.16.0 ✔ Kubectl > 1.10.0 is present ✔ User can create namespace ✕ Cluster type is in list of known supported types ERR: openshift cluster detected. Please note that a Security Context Constraint (SCC) is required to run Pixie. Install a SCC in the namespace designated for ✕ Cluster type is in list of known supported types ERR: openshift cluster detected. Please note that a Security Context Constraint (SCC) is required to run Pixie. Install a SCC in the namespace designated for the Pixie install before continuing. See example on https://docs.px.dev/reference/admin/environment-configs/ Some cluster checks failed. Pixie may not work properly on your cluster. Continue with deploy? (y/n) [y] : ^C ``` - Verified that `oc status` returns with a non-zero exit status if KUBECONFIG points to a different k8s cluster ``` $ kubectl get nodes NAME STATUS ROLES AGE VERSION gke-dev-cluster-ddelnano-default-pool-a27c1ac2-fh3l Ready <none> 26d v1.30.5-gke.1014001 gke-dev-cluster-ddelnano-default-pool-a27c1ac2-qbqs Ready <none> 13d v1.30.5-gke.1014001 $ oc status; echo $? error: you do not have rights to view project "default" specified in your config or the project doesn't exist 1 ``` Changelog Message: Enhanced the `px` cli to detect OpenShift clusters and prompt to install the appropriate SecurityContextConstraints before proceeding with a deploy Signed-off-by: Dom Del Nano <ddelnano@gmail.com> GitOrigin-RevId: 8540621
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Deploying Pixie on Openshift fails when using the currently documented SecurityContextConstraints manifest. This updates the docs to a version of the SCC that works.
Testing done
px deploy --olm_namespace openshift-operator-lifecycle-manager --deploy_olm=falseand this version of the SCC