Podsecurity error on startup of new couchbase cluster

ksully · May 5, 2024, 10:48pm

Using a config from operator 2.4.2, but trying to start with 2.6.2 and 2.6.3, and getting error on a helm deployment:

│ {"level":"error","ts":"2024-05-05T22:39:02Z","msg":"Reconciler error","controller":"couchbase-controller","object":{"name":"couchbasedev","namespace":"couchbase"},"namespace":"couchbase","name":"couchbasedev","reconcileID":"8abf622d-39 │
│ 9f-4e86-b1bd-6bba02caf6a8","error":"admission webhook \"couchbaseoperator-couchbase-admission-controller.couchbase.svc\" denied the request: validation failure list:\nspec.Security.PodSecurityContext must be equal to spec.SecurityConte │
│ xt, if both present","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tsigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtim │
│ e/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs │
│ .k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"}                                                                                                                                                              │
│ {"level":"info","ts":"2024-05-05T22:39:02Z","logger":"cluster","msg":"Watching new cluster","cluster":"couchbase/couchbasedev"}

I have the SecurityContext section, but no PodSecurity…ideas?

 securityContext:
    fsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
    sysctls: []
    windowsOptions: {}
[couchbase-values.fullValuesERROR.zip|attachment](upload://cupY5yk1KPl6RVpq50gbgU5WbYP.zip) (2.4 KB)

config is attached (helm)

ksully · May 24, 2024, 5:45pm

does any have a simple helm chart that works with the cloud native gateway?
The simple one I’ve attached gets this same error:

│ {"level":"error","ts":"2024-05-24T17:39:08Z","logger":"main","msg":"Rejecting resource","error":"validation failure list:\nspec.Security.PodSecurityContext must be equal to spec.SecurityContext, if both present","stacktr │
│ ace":"github.com/couchbase/couchbase-operator/pkg/admission.couchbaseClustersValidate\n\tgithub.com/couchbase/couchbase-operator/pkg/admission/admission.go:233\ngithub.com/couchbase/couchbase-operator/pkg/admission.serve │
│ \n\tgithub.com/couchbase/couchbase-operator/pkg/admission/admission.go:275\ngithub.com/couchbase/couchbase-operator/pkg/admission.Serve.func1\n\tgithub.com/couchbase/couchbase-operator/pkg/admission/admission.go:317\nnet │
│ /http.HandlerFunc.ServeHTTP\n\tnet/http/server.go:2122\nnet/http.(*ServeMux).ServeHTTP\n\tnet/http/server.go:2500\nnet/http.serverHandler.ServeHTTP\n\tnet/http/server.go:2936\nnet/http.(*conn).serve\n\tnet/http/server.go │
│ :1995"}  
[couchbase-values-3instance.forsupport.zip|attachment](upload://wlt19A74K06Mj5aCfx2qmN1SDBq.zip) (2.5 KB)

ksully · May 24, 2024, 6:25pm

fyi, got something to start (attached), though I don’t see the port I expect for cloud native gateway (18098) as per docs.
Does anyone have insight into verifying that cloud native is actually loaded? I had commented out the images so that the latest was loaded…
couchbase-values-3instance.support.zip (2.7 KB)