Troubleshooting WSO2 APIM in OCP- Invalid value securityContext.runAsUser


Problem Statement
We have created a custom docker image for WSO2 APIMv3.2.x and deployed the same in OpenShift cluster 4.x. However, the pods won't getting in Ready state and below error observed while checking the events (oc get events)

wso2am-pattern-1-am-1-deployment-0 in StatefulSet wso2am-pattern-1-am-1-deployment failed error: pods "wso2am-pattern-1-am-1-deployment-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.initContainers[0].securityContext.runAsUser: Invalid value: 1000670000: must be in the ranges: [1000710000, 1000719999], spec.containers[0].securityContext.runAsUser: Invalid value: 1000670000: must be in the ranges: [1000710000, 1000719999], provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "elasticsearch-scc": Forbidden: not usable by user or serviceaccount, provider "log-collector-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]


Cause
So there is a permission issue. In Dockerfile of WSO2 APIM, there is a specification to provide the numeric value for USER_ID and USER_GROUP_ID. By default it is 802 and the same needs to be changed as per the environment. We checked the values and found that the values are not in the range as mentioned in the error message Invalid value: 1000670000: must be in the ranges: [1000710000, 1000719999].

Dockerfile
# build arguments for user/group configurations
ARG USER=wso2carbon
ARG USER_ID=1000670000
ARG USER_GROUP=wso2
ARG USER_GROUP_ID=1000670000
ARG USER_HOME=/home/${USER}

Solution
Change the value as per the environment and build a new Docker image and push it to the respective registry and re-create the resources using the deployment template yaml file. Now it will not throw the error as specified above.

Updated Dockerfile
# build arguments for user/group configurations
ARG USER=wso2carbon
ARG USER_ID=1000710000
ARG USER_GROUP=wso2
ARG USER_GROUP_ID=1000710000
ARG USER_HOME=/home/${USER}


Comments

Popular posts from this blog

Oracle SOA Suite- Implementing Email Notification

Oracle SOA Suite 12c- PKIX path building failed & unable to find valid certification path to requested target

Migration of Oracle SOA Suite Composite from 11g to 12c