Document securityContext for OpenShift upgrade hook jobs#2874
Document securityContext for OpenShift upgrade hook jobs#2874pnalubandhu-a11y wants to merge 2 commits into
Conversation
The pre/post-upgrade hook jobs (e.g. app-rename, which runs on Weave enable) default to UID 999 and get rejected by restricted-v2, failing the upgrade and leaving the CR stuck in Loading. Document setting their podSecurityContext to the project UID range, same as the main components.
|
Sorry for the broad ping — narrowing this. cc @wandb/delivery-tooling-team 🙂 Context: this is one of four small docs PRs fixing the W&B self-managed on OpenShift install guide, based on a real OCP 4.21 deployment. This one (#2874) documents that the operator's pre/post-upgrade hook jobs default to UID 999, so |
|
Please pick a narrower group for at-mentioning. There are 70 people on platform-group and at least one of us has no idea what this is about. 😂 |
|
Preview deployment for your docs. Learn more about Mintlify Previews.
|
📚 Mintlify Preview Links📝 Changed (1 total)📄 Pages (1)
🤖 Generated automatically when Mintlify deployment succeeds |
🔗 Link Checker Results✅ All links are valid! No broken links were detected. Checked against: https://wb-21fd5541-sa-openshift-upgrade-hook-scc.mintlify.app |
📋 Validation of technical assertionsEvery claim below was checked against the truth on the ground using Glean (internal engineering/support knowledge) and Sourcegraph (the implementing code in 10 assertions · ✅ 8 confirmed · ✅ 2 confirmed (qualified) · 🟡 0 partial · Nothing was refuted. Two claims are confirmed with a scope qualifier: the app-rename hook is not Weave-specific (it runs on every upgrade; enabling Weave is one example), and the operator's failure phase is nuanced (
Open items — recommended next stepsNo blocking items — every assertion validated. Two optional considerations (neither requires a change; the doc's hedged wording already covers them):
Scope notes
🤖 Generated by the CoreWeave Docs Team's Validator ( |
What
Adds an "Upgrade hook jobs" note to the self-managed operator page's OpenShift section.
Why
The operator runs
pre-upgrade/post-upgradehook Jobs during upgrades — for example the app-rename hook, which also runs when you enable Weave. Those hook pods default to UID 999 (inherited fromwandb-base), so on OpenShiftrestricted-v2rejects them. The Helm upgrade then fails and the custom resource can get stuck inLoading, with nothing in the docs explaining why.Change
Documents setting
appRenamePreHook.podSecurityContextandappRenamePostHook.podSecurityContextto the project's UID range — the same fix already used for the main components.Testing
Reproduced on OCP 4.21: enabling Weave triggered
pre-upgrade hooks failed: Job <release>-app-rename-pre-hook not ready, and the Helm release went tofailed. Validated the fix withhelm templateonwandb-base— setting the hook'spodSecurityContextrenders the Job pod with the givenrunAsUser/fsGroup(in-range) instead of the default 999.