CloudBees CI Default fsGroup 1000 breaking controller provisioning on OpenShift platform

Issue

Customers upgrading to 2.541.2.35785 have fsGroup defaulting to 1000 in the controller statefulset. This causes controller provisioning to fail because the controller pod creation is rejected by the admission controller due to strict Security Context Constraints rules on most OpenShift platforms. In previous versions, this was always unset for OpenShift platforms.

Environment

Resolution

The issue is not reproduced in the latest version 2.541.3.36065. You can upgrade to this version to avoid this issue.

Workaround

A valid workaround for the version 2.541.2.35785 is to set the field Filesystem group in the controller’s configuration page to an empty value and ignore the "Not a number" form validation error. Once you save, the fsGroup is no longer rendered in the controller statefulset yaml. To make this change take effect in all new controllers, you can set this field on operations center under Manage Configure Controller Provisioning. This will set an empty value for all new controllers.

Tested product/plugin versions

CloudBees CI: 2.541.2.35785

This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.