Cloned-restore fails on Openshift clusters with (scc) permissions issue
Description: Cloned-restore Job failed to be executed
Similar to the way RBAC resources control user access, administrators can use Security Context Constraints (SCCs) to control permissions for pods. K10 allows applications to be restored in-place (overwriting) or cloned-restore (to a different namespace) on the same cluster.
Generally, an SCC is added to a Service Account (SA) in the application namespace. Depending on how an application is configured with SCC permissions, cloned-restores can fail, because application resources are brought-back to a new-namespace.
Error: Failed to restore spec artifacts
Cloned-restore jobs time-out and eventually fail because an application's security context provides permissions in the original application namespace. This results in the application's pod to be in a non-running state. Following the steps below can help resolve this issue.
e.g.
Namespace = quay-enterprise
SCC (during deployment) = anyuid
SA = default
Cloned namespace = quay-enterprise-restore
$ oc logs postgres-856bf449fb-p7r6t
chmod: changing permissions of '/var/lib/pgsql/data/userdata': Operation not permitted
$ oc get pods
NAME READY STATUS RESTARTS AGE
postgres-856bf449fb-p7r6t 0/1 CrashLoopBackOff 5 3m40s
quay-enterprise-app-dff657895-nvh8n 1/1 Running 1 3m40s
quay-enterprise-config-app-74f5cd5558-94w6d 1/1 Running 0 3m40s
quay-enterprise-redis-65fb758bff-l2c8l 1/1 Running 0 3m40s
Resolution
There are a few ways to overcome such failures:
- Identify the SCC used for this application in the appropriate Service Account and manually update the SA (default) with this SCC (anyuid) in the cloned-restore namespace
e.g.
$ oc project quay-enterprise-restore
$ oc edit serviceaccount default - Run the following command to patch the default Service Account
$ oc project quay-enterprise-restore
$ oc adm policy add-scc-to-user anyuid -z default - Deploy the application into a target namespace and use K10 to recover all data:
Go to the K10 dashboard --> Applications
Select restore under the original namespace (quay-enterprise)
Select the restorepoint
Click Restore using a Different Name: type quay-enterprise-restore
Select Data-Only Restore --> Restore