OpenShift operator: needs to run oc adm policy add-cluster-role-to-user cluster-admin -z f5-bigip-ctlr-serviceaccount -n <spec.namespace>

[alonsocamaro]

Setup Details

Orchestration: OSCP
Orchestration Version: 4.12
Operator Version: 2.18.0

Description

When creating an operand with the following configuration

apiVersion: cis.f5.com/v1
kind: F5BigIpCtlr
metadata:
  name: f5bigipctlr-sample
  namespace: openshift-operators
spec:
  ingressClass:
    create: false
    defaultController: false
    ingressClassName: f5
  resources: {}
  rbac:
    create: true
  version: 747c54aea334532b39bb611bd04d16036d8f6b05
  serviceAccount:
    create: true
  image:
    pullPolicy: IfNotPresent
    repo: k8s-bigip-ctlr-devel
    user: quay.io/f5networks
  namespace: f5-cis
  args:
    share-nodes: true
    manage_routes: false
    agent: as3
    as3-validation: true
    custom-resource-mode: true
    log_level: INFO
    multi-cluster-mode: primary
    bigip_partition: mc-twotier
    bigip_url: 10.1.1.7
    log_as3_response: true
    insecure: true
    pool-member-type: nodeport
  bigip_login_secret: bigip-login

It results in the replica set not being to instantiate CIS, throwing the following error:

$ oc -n f5-cis get rs -o yaml
[...]
  status:
    conditions:
    - lastTransitionTime: "2024-09-25T08:00:02Z"
      message: 'pods "f5bigipctlr-sample-f5-bigip-ctlr-74c5c488b7-" is forbidden:
        unable to validate against any security context constraint: [provider "anyuid":
        Forbidden: not usable by user or serviceaccount, provider "nginx-ingress-admin":
        Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup:
        Invalid value: []int64{1000}: 1000 is not an allowed group, spec.containers[0].securityContext.runAsUser:
        Invalid value: 1000: must be in the ranges: [1000840000, 1000849999], provider
        "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2":
        Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden:
        not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden:
        not usable by user or serviceaccount, provider "machine-api-termination-handler":
        Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2":
        Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden:
        not usable by user or serviceaccount, provider "hostaccess": Forbidden: not
        usable by user or serviceaccount, provider "node-exporter": Forbidden: not
        usable by user or serviceaccount, provider "privileged": Forbidden: not usable
        by user or serviceaccount]'
      reason: FailedCreate
      status: "True"
      type: ReplicaFailure
    observedGeneration: 1
    replicas: 0
kind: List
metadata:
  resourceVersion: ""

Requiring the need to run the following command beforehand:

$ oc adm policy add-cluster-role-to-user cluster-admin -z f5-bigip-ctlr-serviceaccount -n f5-cis
clusterrole.rbac.authorization.k8s.io/cluster-admin added: "f5-bigip-ctlr-serviceaccount"

Steps To Reproduce

1. Create an operand with the above parameters

Expected Result

• Customers using the operand should not need to run separate commands. The need to run "oc adm" is not documented either.
• I wonder if it could be possible to create the BIG-IP secret with the operator as well

[trinaths]

Created [CONTCNTR-4949] for internal tracking.