Bug 1961204
Summary: | kube-controller-manager operator is slow to apply sa.scc.uid-range annotation | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Vadim Rutkovsky <vrutkovs> |
Component: | kube-controller-manager | Assignee: | Filip Krepinsky <fkrepins> |
Status: | CLOSED DUPLICATE | QA Contact: | zhou ying <yinzhou> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.7 | CC: | aos-bugs, bleanhar, bparees, deads, dhellmann, ercohen, hekumar, itsoiref, lmohanty, mfojtik, pmali, sttts, wking, yliu1 |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | 1955299 | Environment: |
job=release-openshift-origin-installer-e2e-aws-compact-4.7=all
[sig-auth][Feature:SCC][Early] should not have pod creation failures during install [Suite:openshift/conformance/parallel]
job=release-openshift-origin-installer-e2e-aws-upgrade-4.4-to-4.5-to-4.6-to-4.7-ci=all
|
Last Closed: | 2022-04-04 21:50:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1955299 | ||
Bug Blocks: |
Description
Vadim Rutkovsky
2021-05-17 13:45:36 UTC
*** Bug 1955299 has been marked as a duplicate of this bug. *** We see this issue in https://prow.ci.openshift.org/job-history/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.9-e2e-aws-single-node as well. e.g. https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.9-e2e-aws-single-node/1432284279919874048 https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.9-e2e-aws-single-node/1431740745693270016 https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.9-e2e-aws-single-node/1431493395477434368 Error creating: pods "console-operator-6b677db698-" is forbidden: unable to validate against any security context constraint: [provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount] for ReplicaSet.apps/v1/console-operator-6b677db698 -n openshift-console-operator happened 15 times Error creating: pods "ingress-canary-" is forbidden: unable to validate against any security context constraint: [provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount] for DaemonSet.apps/v1/ingress-canary -n openshift-ingress-canary happened 13 times It appears this early test is running before upgrade is started. As a result this test would flake on install jobs and upgrade jobs. *** Bug 2046094 has been marked as a duplicate of this bug. *** *** Bug 2047397 has been marked as a duplicate of this bug. *** https://github.com/openshift/cluster-kube-controller-manager-operator/pull/594 should help this issue, but let's wait for some time to see how it affects the CI I have found just a few occurences of an this error and it fails just for azure-file-csi-driver. Eg. in - https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-ci-4.11-upgrade-from-stable-4.10-e2e-azure-upgrade/1510767376654667776 - https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-ci-4.11-e2e-azure-techpreview-serial/1510700534229635072 Error creating: pods "azure-file-csi-driver-controller-94fcc6984-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted: .spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.initContainers[0].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, spec.initContainers[0].securityContext.containers[0].hostPort: Invalid value: 10303: Host ports are not allowed to be used, spec.initContainers[0].securityContext.containers[1].hostPort: Invalid value: 9211: Host ports are not allowed to be used, spec.initContainers[0].securityContext.containers[3].hostPort: Invalid value: 9212: Host ports are not It does not seem to affect the creation of other resources in other namespaces so it would suggest the cluster-policy-controller managed to start and was fixed by the #594 PR. Also, the reported errors can be seen in CI for other releases (such as 4.7) which were not backported into. Closing *** This bug has been marked as a duplicate of bug 2045872 *** Still happening in 4.11 though - https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_release/28351/rehearse-28351-periodic-ci-openshift-release-master-nightly-4.11-e2e-vsphere-techpreview/1522274617861869568 and this time it happened in tech-preview vsphere cluster. There is something else going wrong here. We can see from the events that the scc ranges for this namespaces were correctly initialized before the namespace was used, so we can rule out this bug. picked events: 18:26:06 kube-system cluster-policy-controller-namespace-security-allocation-controller bootstrap-kube-controller-manager-ip-192-168-85-48.us-west-2.compute.internal CreatedSCCRanges created SCC ranges for openshift-cluster-csi-drivers namespace 18:33:12 (x15) openshift-cluster-csi-drivers daemonset-controller vmware-vsphere-csi-driver-node FailedCreate Error creating: pods "vmware-vsphere-csi-driver-node-" is forbidden: unable to validate against any security context constraint: 18:33:12 (x17) openshift-cluster-csi-drivers replicaset-controller vmware-vsphere-csi-driver-controller-69b69d7f6f FailedCreate FailedCreate Error creating: pods "vmware-vsphere-csi-driver-controller-69b69d7f6f-" is forbidden: unable to validate against any security context constraint |