Re: [I] [Helm Chart 1.18.0][OpenShift] rbac.createSCCRoleBinding anyuid RoleBinding missing api-server & dag-processor ServiceAccounts -> pods rejected by SCC (restricted-v2), release fails/times out [airflow]

Wed, 25 Feb 2026 06:33:07 -0800 


NewtonChutney commented on issue #59433:
URL: https://github.com/apache/airflow/issues/59433#issuecomment-3959666546

   I just tried the 1.19 helm chart on an openshift cluster, on a new 
project(aka a namespace), and I faced this error after deploying with both 
`rbac.create` `rbac.createSCCRoleBinding` set to true..
   ```
   create Pod airflow-postgresql-0 in StatefulSet airflow-postgresql failed 
error: pods "airflow-postgresql-0" is forbidden: unable to validate against any 
security context constraint: 
   [
        provider "anyuid": Forbidden: not usable by user or serviceaccount,
        provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: 
[]int64{1001}: 1001 is not an allowed group,
        provider restricted-v2: .containers[0].runAsUser: Invalid value: 1001: 
must be in the ranges: [1001750000, 1001759999],
        provider restricted: .spec.securityContext.fsGroup: Invalid value: 
[]int64{1001}: 1001 is not an allowed group,
        provider restricted: .containers[0].runAsUser: Invalid value: 1001: 
must be in the ranges: [1001750000, 1001759999], 
pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/postgresql]:
 Forbidden: seccomp may not be set,
        provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
        provider "nonroot": Forbidden: not usable by user or serviceaccount,
        provider "hostmount-anyuid": Forbidden: not usable by user or 
serviceaccount,
        provider "elasticsearch-scc": Forbidden: not usable by user or 
serviceaccount,
        provider "hostmount-anyuid-v2": Forbidden: not usable by user or 
serviceaccount,
        provider "machine-api-termination-handler": Forbidden: not usable by 
user or serviceaccount,
        provider "hostnetwork-v2": Forbidden: not usable by user or 
serviceaccount,
        provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
        provider "hostaccess": Forbidden: not usable by user or serviceaccount,
        provider "splunkforwarder": Forbidden: not usable by user or 
serviceaccount,
        provider "node-exporter": Forbidden: not usable by user or 
serviceaccount,
        provider "privileged": Forbidden: not usable by user or serviceaccount
   ]
   ```
   
   I'm new to Openshift, and haven't worked with helm charts as much..
   Does the above mean the cluster is more restricted and the helm chart is 
fine?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to