OpenShift compatibility

[hanygirgis]

I'm trying to deploy GrimoireLab on OpenShift (using the supplied Kubernetes scripts), but I'm getting security errors.

For example, when tyring to deploy the esnode Statefulset (in file 12-es-sts-deployment.yml), I had to remove IPC_LOCK and SYS_RESOURCE capabilities, and disable the privilaged more to get it to run. After that, I get the following error :

od esnode-0 in StatefulSet esnode failed error: pods "esnode-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "pipelines-scc": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1001020000, 1001029999], provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1001020000, 1001029999], provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount,

Do you have any suggestions on how to get it to run on OpenShift ?

[sduenas]

Hi @hanygirgis . I've never tried OpenShift before. There's an open PR to deploy the platform on Kubernetes with Helm. If it's possible, I recommend to use this method (or use it as the baseline) because it's more updated to the current infra supported by the project.

You can find the PR here: #707

[hanygirgis]

All right, thanks. I'll try out the Helm approach in this PR.

[sduenas]

Keep us posted about if it works or not, so we can know about it.

[Eroyi]

My chart hasn't been tested on OpenShift. OpenShift has enhanced its security capabilities therefore you may encounter several issues related to securityContext.

Also, I recommend using OpenSearch instead of Elasticsearch. The kibana that grimoirelab used is strictly required an outdated elasticsearch-6.8.6.

If you are trying my chart, please remove the appConfig.security map in charts/openshift-node/values.yaml.

[sduenas]

Just for the record, GrimoireLab can be used with OpenSearch. We have a [docker compose] (https://github.com/chaoss/grimoirelab/blob/master/docker-compose/docker-compose-opensearch.yml) for that matter. The dashboards for opensearch can be imported manually from here.

You can also use Bitergia Analytics, which is built on top of GrimoireLab an uses, by default, OpenSearch dashboard with the security layer.

[hanygirgis]

OK, I'll switch to OpenSearch and give it a shot.