Clone job fails due to scc issue

Cloned-restore fails on Openshift clusters with (scc) permissions issue

Description: Cloned-restore Job failed to be executed

Similar to the way RBAC resources control user access, administrators can use Security Context Constraints (SCCs) to control permissions for pods. K10 allows applications to be restored in-place (overwriting) or cloned-restore (to a different namespace) on the same cluster.

Generally, an SCC is added to a Service Account (SA) in the application namespace. Depending on how an application is configured with SCC permissions, cloned-restores can fail, because application resources are brought-back to a new-namespace.

Error: Failed to restore spec artifacts

Cloned-restore jobs time-out and eventually fail because an application's security context provides permissions in the original application namespace. This results in the application's pod to be in a non-running state. Following the steps below can help resolve this issue. 

Namespace = quay-enterprise 
SCC (during deployment) = anyuid
SA = default
Cloned namespace = quay-enterprise-restore
$ oc logs postgres-856bf449fb-p7r6t 
chmod: changing permissions of '/var/lib/pgsql/data/userdata': Operation not permitted

$ oc get pods
postgres-856bf449fb-p7r6t 0/1 CrashLoopBackOff 5 3m40s
quay-enterprise-app-dff657895-nvh8n 1/1 Running 1 3m40s
quay-enterprise-config-app-74f5cd5558-94w6d 1/1 Running 0 3m40s
quay-enterprise-redis-65fb758bff-l2c8l 1/1 Running 0 3m40s


There are a few ways to overcome such failures:

  1. Identify the SCC used for this application in the appropriate Service Account and manually update the SA (default) with this SCC (anyuid) in the cloned-restore namespace
    $ oc project quay-enterprise-restore
    $ oc edit serviceaccount default
  2. Run the following command to patch the default Service Account 
    $ oc project quay-enterprise-restore
    $ oc adm policy add-scc-to-user anyuid -z default
  3. Deploy the application into a target namespace and use K10 to recover all data:

    Go to the K10 dashboard --> Applications
    Select restore under the original namespace (quay-enterprise)
    Select the restorepoint
    Click Restore using a Different Name: type quay-enterprise-restore
    Select Data-Only Restore --> Restore