Bug 1913069
| Summary: | pod fails to create with "Host network is not allowed to be used spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 10301" | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | jamo luhrsen <jluhrsen> |
| Component: | apiserver-auth | Assignee: | David Eads <deads> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | scheng |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 4.7 | CC: | adam.kaplan, aos-bugs, jsafrane, mfojtik, miabbott, mimccune, mmasters, rgudimet, travi, wking |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | Flags: | mfojtik:
needinfo?
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | LifecycleReset | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: |
[sig-auth][Feature:SCC][Early] should not have pod creation failures during install [Suite:openshift/conformance/parallel]
|
|
| Last Closed: | 2021-04-29 18:12:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1928839 | ||
|
Description
jamo luhrsen
2021-01-05 21:41:42 UTC
Storage/Storage component/subcoponent is just my best guess. Please adjust as needed. The test should be more tolerant to errors. Fix: https://github.com/openshift/kubernetes/pull/391 (In reply to Jan Safranek from comment #2) > The test should be more tolerant to errors. Fix: > https://github.com/openshift/kubernetes/pull/391 I see the PR is sitting idle for a week now. I came across this problem again today while trying to debug some 4.7 failures: https://prow.ci.openshift.org/view/gcs/origin-ci-test/logs/periodic-ci-openshift-release-master-ocp-4.7-e2e-aws-proxy/1352181772875468800 top level failure is about crashlooping pods. in the test log you can see this: Jan 21 10:49:33.608: INFO: At 2021-01-21 09:30:40 +0000 UTC - event for aws-ebs-csi-driver-controller-595bc5b465: {replicaset-controller } FailedCreate: Error creating: pods "aws-ebs-csi-driver-controller-595bc5b465-" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 10301: Host ports are not allowed to be used spec.containers[1].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[1].securityContext.containers[0].hostPort: Invalid value: 10301: Host ports are not allowed to be used spec.containers[2].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[2].securityContext.containers[0].hostPort: Invalid value: 10301: Host ports are not allowed to be used spec.containers[3].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[3].securityContext.containers[0].hostPort: Invalid value: 10301: Host ports are not allowed to be used spec.containers[4].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[4].securityContext.containers[0].hostPort: Invalid value: 10301: Host ports are not allowed to be used spec.containers[5].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[5].securityContext.containers[0].hostPort: Invalid value: 10301: Host ports are not allowed to be used] test log: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/periodic-ci-openshift-release-master-ocp-4.7-e2e-aws-proxy/1352181772875468800/artifacts/e2e-aws-proxy/openshift-e2e-test/e2e.log Noticed this in 4.8 serial suite as well https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/release-openshift-origin-installer-e2e-aws-serial-4.8/1359877839876263936 *** Bug 1932007 has been marked as a duplicate of this bug. *** *** Bug 1930715 has been marked as a duplicate of this bug. *** Still seeing this during recent CI runs https://sippy.ci.openshift.org/?release=4.7 ``` Error creating: pods "cloud-credential-operator-5675cb8c55-" is forbidden: unable to validate against any security context constraint: [] for ReplicaSet.apps/v1/cloud-credential-operator-5675cb8c55 -n openshift-cloud-credential-operator happened 1 times Error creating: pods "aws-ebs-csi-driver-controller-6d75566766-" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 10301: Host ports are not allowed to be used spec.containers[1].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[1].securityContext.containers[0].hostPort: Invalid value: 10301: Host ports are not allowed to be used spec.containers[2].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[2].securityContext.containers[0].hostPort: Invalid value: 10301: Host ports are not allowed to be used spec.containers[3].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[3].securityContext.containers[0].hostPort: Invalid value: 10301: Host ports are not allowed to be used spec.containers[4].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[4].securityContext.containers[0].hostPort: Invalid value: 10301: Host ports are not allowed to be used spec.containers[5].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[5].securityContext.containers[0].hostPort: Invalid value: 10301: Host ports are not allowed to be used] for ReplicaSet.apps/v1/aws-ebs-csi-driver-controller-6d75566766 -n openshift-cluster-csi-drivers happened 4 times Error creating: pods "console-operator-88868b75f-" is forbidden: unable to validate against any security context constraint: [] for ReplicaSet.apps/v1/console-operator-88868b75f -n openshift-console-operator happened 11 times Error creating: pods "downloads-5bb6748bc5-" is forbidden: unable to validate against any security context constraint: [] for ReplicaSet.apps/v1/downloads-5bb6748bc5 -n openshift-console happened 11 times Error creating: pods "router-default-57974b7f5b-" is forbidden: unable to validate against any security context constraint: [] for ReplicaSet.apps/v1/router-default-57974b7f5b -n openshift-ingress happened 11 times Error creating: pods "marketplace-operator-d98c89b9c-" is forbidden: unable to validate against any security context constraint: [] for ReplicaSet.apps/v1/marketplace-operator-d98c89b9c -n openshift-marketplace happened 11 times ``` *** Bug 1930713 has been marked as a duplicate of this bug. *** i think we have also hit this bug during the ci tests on this pr https://github.com/openshift/machine-api-operator/pull/830 i see event error output in the must-gather that is similar to what is described in this bug: ``` Error creating: pods "aws-ebs-csi-driver-node-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted: .spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[3]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 10300: Host ports are not allowed to be used, spec.containers[1].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, spec.containers[1].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, spec.containers[1].securityContext.containers[0].hostPort: Invalid value: 10300: Host ports are not allowed to be used, spec.containers[2].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, spec.containers[2].securityContext.containers[0].hostPort: Invalid value: 10300: Host ports are not allowed to be used, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount] ``` This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. Additionally, you can add LifecycleFrozen into Keywords if you think this bug should never be marked as stale. Please consult with bug assignee before you do that. I think we fixed this sometime in 4.7 Are you sure? Certainly looks like 4.7 is still impacted: $ w3m -dump -cols 200 'https://search.ci.openshift.org/?search=Invalid+value%3A+10301%3A+Host+ports+are+not+allowed+to+be+used&maxAge=24h&type=junit' | grep 'failures match' | sort periodic-ci-openshift-release-master-ci-4.6-e2e-aws-upgrade-rollback (all) - 1 runs, 100% failed, 100% of failures match = 100% impact periodic-ci-openshift-release-master-ci-4.6-upgrade-from-stable-4.5-e2e-aws-ovn-upgrade (all) - 10 runs, 100% failed, 20% of failures match = 20% impact periodic-ci-openshift-release-master-ci-4.7-upgrade-from-stable-4.6-e2e-aws-ovn-upgrade (all) - 15 runs, 33% failed, 20% of failures match = 7% impact periodic-ci-openshift-release-master-nightly-4.6-e2e-aws-fips (all) - 7 runs, 29% failed, 250% of failures match = 71% impact periodic-ci-openshift-release-master-nightly-4.6-e2e-aws-proxy (all) - 7 runs, 100% failed, 86% of failures match = 86% impact periodic-ci-openshift-release-master-nightly-4.6-e2e-ovirt (all) - 9 runs, 78% failed, 114% of failures match = 89% impact periodic-ci-openshift-release-master-nightly-4.7-e2e-aws (all) - 15 runs, 40% failed, 17% of failures match = 7% impact periodic-ci-openshift-release-master-nightly-4.7-e2e-aws-proxy (all) - 8 runs, 50% failed, 25% of failures match = 13% impact periodic-ci-openshift-release-master-nightly-4.7-e2e-aws-serial (all) - 19 runs, 63% failed, 17% of failures match = 11% impact periodic-ci-openshift-release-master-nightly-4.7-e2e-aws-upgrade (all) - 8 runs, 75% failed, 17% of failures match = 13% impact periodic-ci-openshift-release-master-nightly-4.7-e2e-ovirt (all) - 12 runs, 33% failed, 25% of failures match = 8% impact periodic-ci-openshift-release-master-nightly-4.8-e2e-ovirt (all) - 11 runs, 45% failed, 20% of failures match = 9% impact pull-ci-cri-o-cri-o-release-1.19-e2e-aws (all) - 4 runs, 25% failed, 200% of failures match = 50% impact pull-ci-openshift-cluster-api-provider-aws-release-4.7-e2e-aws-upgrade (all) - 2 runs, 100% failed, 50% of failures match = 50% impact pull-ci-openshift-cluster-dns-operator-release-4.7-e2e-aws (all) - 2 runs, 50% failed, 100% of failures match = 50% impact pull-ci-openshift-cluster-network-operator-release-4.7-e2e-ovn-hybrid-step-registry (all) - 6 runs, 83% failed, 20% of failures match = 17% impact pull-ci-openshift-installer-release-4.7-e2e-aws (all) - 4 runs, 50% failed, 50% of failures match = 25% impact pull-ci-openshift-multus-cni-release-4.7-e2e-aws (all) - 1 runs, 100% failed, 100% of failures match = 100% impact release-openshift-ocp-installer-e2e-aws-mirrors-4.6 (all) - 1 runs, 100% failed, 100% of failures match = 100% impact release-openshift-ocp-installer-e2e-aws-ovn-4.6 (all) - 7 runs, 29% failed, 250% of failures match = 71% impact release-openshift-ocp-installer-e2e-aws-upi-4.6 (all) - 7 runs, 86% failed, 17% of failures match = 14% impact release-openshift-origin-installer-e2e-aws-sdn-network-stress-4.7 (all) - 3 runs, 67% failed, 100% of failures match = 67% impact The 4.8 match there is [1]. But can whatever is helping 4.8 so much get ported back to 4.7? [1]: https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.8-e2e-ovirt/1387613619692244992 The LifecycleStale keyword was removed because the bug got commented on recently. The bug assignee was notified. Ok. 4.8. It's not worth the backport. Behavior always worked fine eventually, this was just a little noise. |