Bug 2109153
| Summary: | pods for daemonset failed to create after file integrity operator upgrade from v0.1.24 to v0.1.29 | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | xiyuan |
| Component: | File Integrity Operator | Assignee: | Matt Rogers <mrogers> |
| Status: | CLOSED ERRATA | QA Contact: | xiyuan |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.11 | CC: | jhrozek, lbragsta, opayne, vahirwad, wenshen |
| Target Milestone: | --- | ||
| Target Release: | 4.12.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
* Previously, service account ownership for the File Integrity Operator regressed due to underlying OLM updates, and updates from 0.1.24 to 0.1.29 were broken. With this update, the Operator should default to upgrading to 0.1.30. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2109153[*BZ#2109153*]
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-08-02 08:17:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I have seen the same issue after repeating the above steps.
# oc get csv -w
NAME DISPLAY VERSION REPLACES PHASE
file-integrity-operator.v0.1.24 File Integrity Operator 0.1.24 Replacing
file-integrity-operator.v0.1.29 File Integrity Operator 0.1.29 file-integrity-operator.v0.1.24 Pending
file-integrity-operator.v0.1.29 File Integrity Operator 0.1.29 file-integrity-operator.v0.1.24 InstallReady
file-integrity-operator.v0.1.29 File Integrity Operator 0.1.29 file-integrity-operator.v0.1.24 Installing
file-integrity-operator.v0.1.29 File Integrity Operator 0.1.29 file-integrity-operator.v0.1.24 Installing
file-integrity-operator.v0.1.29 File Integrity Operator 0.1.29 file-integrity-operator.v0.1.24 Succeeded
file-integrity-operator.v0.1.24 File Integrity Operator 0.1.24 Deleting
file-integrity-operator.v0.1.24 File Integrity Operator 0.1.24 Deleting
# oc get pods
NAME READY STATUS RESTARTS AGE
file-integrity-operator-64d7d684b5-xmp9h 1/1 Running 0 8m47s
# oc get fileintegrity
NAME AGE
example-fileintegrity 12m
# oc get fileintegrity example-fileintegrity -o=jsonpath={.status}
{"phase":"Initializing"}
# oc describe daemonset aide-example-fileintegrity | tailple-fileintegrity | tail
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal SuccessfulCreate 4m20s daemonset-controller Created pod: aide-example-fileintegrity-8pcdp
Normal SuccessfulCreate 4m20s daemonset-controller Created pod: aide-example-fileintegrity-lz9v5
Normal SuccessfulCreate 4m20s daemonset-controller Created pod: aide-example-fileintegrity-4vflg
Normal SuccessfulCreate 4m20s daemonset-controller Created pod: aide-example-fileintegrity-qgxvx
Normal SuccessfulCreate 4m20s daemonset-controller Created pod: aide-example-fileintegrity-r9w72
Normal SuccessfulCreate 4m20s daemonset-controller Created pod: aide-example-fileintegrity-bxf7b
Warning FailedCreate 92s (x19 over 119s) daemonset-controller Error creating: pods "aide-example-fileintegrity-" is forbidden: error looking up service account openshift-file-integrity/file-integrity-daemon: serviceaccount "file-integrity-daemon" not found
Must gather logs: https://drive.google.com/file/d/1bD9wlP7uKEMbdJt4Rg-_trJb5b-WFyPW/view?usp=sharing
(In reply to Varad Ahirwadkar from comment #1) > I have seen the same issue after repeating the above steps. this is on OCP 4.11-rc.2 release on Power architecture Prior to the operator-sdk update (in 0.1.24) we included the daemon SA along with the CSV. https://github.com/openshift/file-integrity-operator/blob/330c718c6fe1c891f9a7c6ca3f4c67ed743258cc/deploy/olm-catalog/file-integrity-operator/manifests/file-integrity-operator.clusterserviceversion.yaml#L250 After the operator-sdk update, the daemon rolebinding was moved out of the CSV directly and included in the bundle's manifests, which changed the ownership status of the SA. Since the SA was only owned by the old CSV, it was deleted after 0.1.29 rolls out. Note, this also included the 'file-integrity-operator-metrics' SA. https://github.com/openshift/file-integrity-operator/pull/272 adds a fix to move the SAs back into the CSV so they can retain ownership. I tested a catalog upgrade from 0.1.24 with it, and it worked for me. Verification pass with bug pre-merge process. With https://github.com/openshift/file-integrity-operator/pull/272, follow steps in https://github.com/openshift/file-integrity-operator#building-and-deploying-from-source, make catalog quay.io/xiyuan/file-integrity-operator-catalog:0722. #########Scenario 1: upgrade from v0.1.24 to v0.1.29: 1. install file-integrity-operator.v0.1.24 and create fileintegrity: oc get ip NAME CSV APPROVAL APPROVED install-766v8 file-integrity-operator.v0.1.24 Automatic true $ oc get csv NAME DISPLAY VERSION REPLACES PHASE elasticsearch-operator.v5.5.0 OpenShift Elasticsearch Operator 5.5.0 Succeeded file-integrity-operator.v0.1.24 File Integrity Operator 0.1.24 Succeeded $ oc apply -f -<<EOF apiVersion: fileintegrity.openshift.io/v1alpha1 kind: FileIntegrity metadata: name: example-fileintegrity spec: config: gracePeriod: 20 maxBackups: 5 debug: true EOF fileintegrity.fileintegrity.openshift.io/example-fileintegrity created $ oc get daemonset -w NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE aide-example-fileintegrity 6 6 6 6 6 <none> 30s ^C$ oc get pod NAME READY STATUS RESTARTS AGE aide-example-fileintegrity-28vrx 1/1 Running 0 35s aide-example-fileintegrity-2rftr 1/1 Running 0 35s aide-example-fileintegrity-h7nd8 1/1 Running 0 35s aide-example-fileintegrity-hn2w7 1/1 Running 0 35s aide-example-fileintegrity-hn465 1/1 Running 0 35s aide-example-fileintegrity-nz6pn 1/1 Running 0 35s file-integrity-operator-5ddddddf69-qmvzb 1/1 Running 1 (66s ago) 89s $ oc get fileintegrity example-fileintegrity -o=jsonpath={.status} {"phase":"Active"}$ oc get fileintegritynodestatus NAME NODE STATUS example-fileintegrity-xiyuan25-3-6rdl2-master-0 xiyuan25-3-6rdl2-master-0 Succeeded example-fileintegrity-xiyuan25-3-6rdl2-master-1 xiyuan25-3-6rdl2-master-1 Succeeded example-fileintegrity-xiyuan25-3-6rdl2-master-2 xiyuan25-3-6rdl2-master-2 Succeeded example-fileintegrity-xiyuan25-3-6rdl2-worker-us-east-1a-q6nc2 xiyuan25-3-6rdl2-worker-us-east-1a-q6nc2 Succeeded example-fileintegrity-xiyuan25-3-6rdl2-worker-us-east-1b-5n8sh xiyuan25-3-6rdl2-worker-us-east-1b-5n8sh Succeeded example-fileintegrity-xiyuan25-3-6rdl2-worker-us-east-1b-wkwxd xiyuan25-3-6rdl2-worker-us-east-1b-wkwxd Succeeded 2. upgrade: $ oc describe packagemanifest file-integrity-operator Name: file-integrity-operator ... Maturity: alpha Provider: Name: Red Hat URL: https://github.com/openshift/file-integrity-operator Related Images: quay.io/xiyuan/file-integrity-operator:0722 quay.io/file-integrity-operator/file-integrity-operator:latest Version: 0.1.29 Name: alpha Default Channel: alpha Package Name: file-integrity-operator Provider: Name: Red Hat URL: https://github.com/openshift/file-integrity-operator Events: <none> $ oc patch sub file-integrity-operator -p '{"spec":{"source":"file-integrity-operator","channel":"alpha"}}' --type='merge' subscription.operators.coreos.com/file-integrity-operator patched $ oc get ip NAME CSV APPROVAL APPROVED install-766v8 file-integrity-operator.v0.1.24 Automatic true install-n4z7m file-integrity-operator.v0.1.29 Automatic true $ oc get csv -w NAME DISPLAY VERSION REPLACES PHASE elasticsearch-operator.v5.5.0 OpenShift Elasticsearch Operator 5.5.0 Succeeded file-integrity-operator.v0.1.24 File Integrity Operator 0.1.24 Replacing file-integrity-operator.v0.1.29 File Integrity Operator 0.1.29 file-integrity-operator.v0.1.24 Installing file-integrity-operator.v0.1.29 File Integrity Operator 0.1.29 file-integrity-operator.v0.1.24 Succeeded file-integrity-operator.v0.1.24 File Integrity Operator 0.1.24 Deleting file-integrity-operator.v0.1.24 File Integrity Operator 0.1.24 Deleting ^C$ oc get daemonset -w NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE aide-example-fileintegrity 6 6 6 1 6 <none> 5m13s aide-example-fileintegrity 6 6 5 1 5 <none> 5m14s aide-example-fileintegrity 6 6 5 2 5 <none> 5m14s aide-example-fileintegrity 6 6 6 2 6 <none> 5m17s aide-example-fileintegrity 6 6 5 2 5 <none> 5m22s aide-example-fileintegrity 6 6 5 3 5 <none> 5m22s aide-example-fileintegrity 6 6 4 3 4 <none> 5m22s aide-example-fileintegrity 6 6 4 4 4 <none> 5m22s aide-example-fileintegrity 6 6 3 4 3 <none> 5m23s aide-example-fileintegrity 6 6 3 5 3 <none> 5m23s aide-example-fileintegrity 6 6 2 5 2 <none> 5m23s aide-example-fileintegrity 6 6 2 6 2 <none> 5m23s aide-example-fileintegrity 6 6 3 6 3 <none> 5m24s aide-example-fileintegrity 6 6 4 6 4 <none> 5m25s aide-example-fileintegrity 6 6 5 6 5 <none> 5m25s aide-example-fileintegrity 6 6 6 6 6 <none> 5m26s ^C$ oc get pod NAME READY STATUS RESTARTS AGE aide-example-fileintegrity-4r2tp 1/1 Running 0 32s aide-example-fileintegrity-7f5sn 1/1 Running 0 12s aide-example-fileintegrity-ncdbq 1/1 Running 0 13s aide-example-fileintegrity-nr72p 1/1 Running 0 13s aide-example-fileintegrity-w4fcf 1/1 Running 0 21s aide-example-fileintegrity-x9bmt 1/1 Running 0 12s file-integrity-operator-7f7b97b9db-vj4np 1/1 Running 0 43s $ oc get fileintegrity example-fileintegrity -o=jsonpath={.status} {"phase":"Active"} $ oc get fileintegritynodestatus NAME NODE STATUS example-fileintegrity-xiyuan25-3-6rdl2-master-0 xiyuan25-3-6rdl2-master-0 Succeeded example-fileintegrity-xiyuan25-3-6rdl2-master-1 xiyuan25-3-6rdl2-master-1 Succeeded example-fileintegrity-xiyuan25-3-6rdl2-master-2 xiyuan25-3-6rdl2-master-2 Succeeded example-fileintegrity-xiyuan25-3-6rdl2-worker-us-east-1a-q6nc2 xiyuan25-3-6rdl2-worker-us-east-1a-q6nc2 Succeeded example-fileintegrity-xiyuan25-3-6rdl2-worker-us-east-1b-5n8sh xiyuan25-3-6rdl2-worker-us-east-1b-5n8sh Succeeded example-fileintegrity-xiyuan25-3-6rdl2-worker-us-east-1b-wkwxd xiyuan25-3-6rdl2-worker-us-east-1b-wkwxd Succeeded #######Scenario 2: deploy FIO to a namespace without openshift prefix: oc apply -f -<<EOF > apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: file-integrity-operator namespace: openshift-marketplace spec: displayName: openshift-file-integrity-operator publisher: Red Hat sourceType: grpc image: quay.io/xiyuan/file-integrity-operator-catalog:0722 --- apiVersion: v1 kind: Namespace metadata: name: fio labels: openshift.io/cluster-monitoring: "true" pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/warn: privileged --- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: openshift-file-integrity-qbcd namespace: fio spec: targetNamespaces: - fio --- apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: file-integrity-operator namespace: fio spec: channel: alpha Approval: Automatic name: file-integrity-operator source: file-integrity-operator sourceNamespace: openshift-marketplace EOF catalogsource.operators.coreos.com/file-integrity-operator unchanged namespace/fio created operatorgroup.operators.coreos.com/openshift-file-integrity-qbcd created subscription.operators.coreos.com/file-integrity-operator created $ oc patch sub file-integrity-operator -p '{"spec":{"channel":"alpha"}}' --type='merge' -n fio subscription.operators.coreos.com/file-integrity-operator patched $ oc project fio Now using project "fio" on server "https://api.xiyuan25-3.alicloud-qe.devcluster.openshift.com:6443". $ oc get ip NAME CSV APPROVAL APPROVED install-rpv4f file-integrity-operator.v0.1.29 Automatic true $ oc get csv -w NAME DISPLAY VERSION REPLACES PHASE elasticsearch-operator.v5.5.0 OpenShift Elasticsearch Operator 5.5.0 Succeeded file-integrity-operator.v0.1.29 File Integrity Operator 0.1.29 Succeeded ^C$ oc get pod NAME READY STATUS RESTARTS AGE file-integrity-operator-5cf4ffcccb-zh686 1/1 Running 1 (11s ago) 17s $ oc apply -f fileintegrity.yaml fileintegrity.fileintegrity.openshift.io/example-fileintegrity created $ oc get daemonset -w NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE aide-example-fileintegrity 6 6 6 6 6 <none> 8s ^C$ oc get pod NAME READY STATUS RESTARTS AGE aide-example-fileintegrity-684cj 1/1 Running 0 14s aide-example-fileintegrity-j2kkv 1/1 Running 0 14s aide-example-fileintegrity-ktgh7 1/1 Running 0 14s aide-example-fileintegrity-mgxxh 1/1 Running 0 14s aide-example-fileintegrity-s8rvn 1/1 Running 0 14s aide-example-fileintegrity-zwbsc 1/1 Running 0 14s file-integrity-operator-5cf4ffcccb-zh686 1/1 Running 1 (33s ago) 39s $ oc get fileintegrity example-fileintegrity -o=jsonpath={.status} {"phase":"Active"} $ oc get fileintegritynodestatus NAME NODE STATUS example-fileintegrity-xiyuan25-3-6rdl2-master-0 xiyuan25-3-6rdl2-master-0 Succeeded example-fileintegrity-xiyuan25-3-6rdl2-master-1 xiyuan25-3-6rdl2-master-1 Succeeded example-fileintegrity-xiyuan25-3-6rdl2-master-2 xiyuan25-3-6rdl2-master-2 Succeeded example-fileintegrity-xiyuan25-3-6rdl2-worker-us-east-1a-q6nc2 xiyuan25-3-6rdl2-worker-us-east-1a-q6nc2 Succeeded example-fileintegrity-xiyuan25-3-6rdl2-worker-us-east-1b-5n8sh xiyuan25-3-6rdl2-worker-us-east-1b-5n8sh Succeeded example-fileintegrity-xiyuan25-3-6rdl2-worker-us-east-1b-wkwxd xiyuan25-3-6rdl2-worker-us-east-1b-wkwxd Succeeded Successfully Upgraded FIO from v0.1.24 to v0.1.30 on Power OCP 4.11.0-rc.2 release
# oc get csv -n openshift-file-integrity
file-integrity-operator.v0.1.30 File Integrity Operator 0.1.30 file-integrity-operator.v0.1.24 Succeeded
# oc get fileintegrity example-fileintegrity -o=jsonpath={.status}
{"phase":"Active"}
# oc get pods
NAME READY STATUS RESTARTS AGE
aide-example-fileintegrity-5gw7p 1/1 Running 0 34s
aide-example-fileintegrity-6z9ph 1/1 Running 0 35s
aide-example-fileintegrity-d46bc 1/1 Running 0 35s
aide-example-fileintegrity-dkdld 1/1 Running 0 35s
aide-example-fileintegrity-q44fh 1/1 Running 0 35s
aide-example-fileintegrity-xc996 1/1 Running 0 35s
file-integrity-operator-79bbc8dc86-nqzjz 1/1 Running 0 78s
# oc get fileintegritynodestatus
NAME NODE STATUS
example-fileintegrity-tor01-master-0.rdr-varad-ocp-411-rc2-upi.ibm.com tor01-master-0.rdr-varad-ocp-411-rc2-upi.ibm.com Succeeded
example-fileintegrity-tor01-master-1.rdr-varad-ocp-411-rc2-upi.ibm.com tor01-master-1.rdr-varad-ocp-411-rc2-upi.ibm.com Succeeded
example-fileintegrity-tor01-master-2.rdr-varad-ocp-411-rc2-upi.ibm.com tor01-master-2.rdr-varad-ocp-411-rc2-upi.ibm.com Succeeded
example-fileintegrity-tor01-worker-0.rdr-varad-ocp-411-rc2-upi.ibm.com tor01-worker-0.rdr-varad-ocp-411-rc2-upi.ibm.com Succeeded
example-fileintegrity-tor01-worker-1.rdr-varad-ocp-411-rc2-upi.ibm.com tor01-worker-1.rdr-varad-ocp-411-rc2-upi.ibm.com Succeeded
example-fileintegrity-tor01-worker-2.rdr-varad-ocp-411-rc2-upi.ibm.com tor01-worker-2.rdr-varad-ocp-411-rc2-upi.ibm.com Succeeded
# oc describe daemonset aide-example-fileintegrity | tail
Normal SuccessfulCreate 6m24s daemonset-controller Created pod: aide-example-fileintegrity-x7jzx
Normal SuccessfulCreate 6m24s daemonset-controller Created pod: aide-example-fileintegrity-hpb5k
Normal SuccessfulCreate 6m24s daemonset-controller Created pod: aide-example-fileintegrity-t2wck
Normal SuccessfulCreate 6m24s daemonset-controller Created pod: aide-example-fileintegrity-9jv2j
Normal SuccessfulCreate 6m24s daemonset-controller Created pod: aide-example-fileintegrity-4btw4
Normal SuccessfulDelete 4m25s daemonset-controller Deleted pod: aide-example-fileintegrity-t2wck
Normal SuccessfulCreate 3m54s daemonset-controller Created pod: aide-example-fileintegrity-6z9ph
Normal SuccessfulCreate 3m54s daemonset-controller Created pod: aide-example-fileintegrity-d46bc
Normal SuccessfulCreate 3m54s daemonset-controller Created pod: aide-example-fileintegrity-dkdld
Normal SuccessfulCreate 3m53s (x3 over 3m54s) daemonset-controller (combined from similar events): Created pod: aide-example-fileintegrity-5gw7p
verification pass with 4.12.0-0.nightly-2022-07-27-133042 and file-integrity-operator.v0.1.30
1. installed released version v0.1.24
2. upgrade to latest version v0.1.30
$ oc get ip -w
NAME CSV APPROVAL APPROVED
install-7msxh file-integrity-operator.v0.1.24 Automatic true
install-hx49f file-integrity-operator.v0.1.30 Automatic true
install-hx49f file-integrity-operator.v0.1.30 Automatic true
^C$ oc get csv -w
NAME DISPLAY VERSION REPLACES PHASE
elasticsearch-operator.v5.5.0 OpenShift Elasticsearch Operator 5.5.0 Succeeded
file-integrity-operator.v0.1.24 File Integrity Operator 0.1.24 Succeeded
file-integrity-operator.v0.1.30 File Integrity Operator 0.1.30 file-integrity-operator.v0.1.24
file-integrity-operator.v0.1.30 File Integrity Operator 0.1.30 file-integrity-operator.v0.1.24
file-integrity-operator.v0.1.24 File Integrity Operator 0.1.24 Replacing
file-integrity-operator.v0.1.30 File Integrity Operator 0.1.30 file-integrity-operator.v0.1.24 Pending
file-integrity-operator.v0.1.30 File Integrity Operator 0.1.30 file-integrity-operator.v0.1.24 Pending
file-integrity-operator.v0.1.30 File Integrity Operator 0.1.30 file-integrity-operator.v0.1.24 InstallReady
file-integrity-operator.v0.1.30 File Integrity Operator 0.1.30 file-integrity-operator.v0.1.24 Installing
file-integrity-operator.v0.1.30 File Integrity Operator 0.1.30 file-integrity-operator.v0.1.24 Installing
file-integrity-operator.v0.1.30 File Integrity Operator 0.1.30 file-integrity-operator.v0.1.24 Installing
file-integrity-operator.v0.1.30 File Integrity Operator 0.1.30 file-integrity-operator.v0.1.24 Installing
file-integrity-operator.v0.1.30 File Integrity Operator 0.1.30 file-integrity-operator.v0.1.24 Succeeded
file-integrity-operator.v0.1.24 File Integrity Operator 0.1.24 Deleting
file-integrity-operator.v0.1.24 File Integrity Operator 0.1.24 Deleting
3. check upgrade result
$ oc get pod
NAME READY STATUS RESTARTS AGE
aide-example-fileintegrity-7bt6q 0/1 ContainerCreating 0 4s
aide-example-fileintegrity-fdgrs 0/1 ContainerCreating 0 4s
aide-example-fileintegrity-fztrz 1/1 Running 0 4s
aide-example-fileintegrity-mvhfq 0/1 ContainerCreating 0 4s
aide-example-fileintegrity-rsg57 0/1 ContainerCreating 0 4s
aide-example-fileintegrity-vvrdj 0/1 ContainerCreating 0 4s
file-integrity-operator-5ddddddf69-cbzzk 1/1 Terminating 1 (7m16s ago) 7m37s
file-integrity-operator-79bbc8dc86-2dk42 1/1 Running 0 40s
$ oc get daemonset -w
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
aide-example-fileintegrity 6 6 5 6 5 <none> 6m57s
aide-example-fileintegrity 6 6 6 6 6 <none> 6m57s
^C$ oc get pod
NAME READY STATUS RESTARTS AGE
aide-example-fileintegrity-7bt6q 1/1 Running 0 23s
aide-example-fileintegrity-fdgrs 1/1 Running 0 23s
aide-example-fileintegrity-fztrz 1/1 Running 0 23s
aide-example-fileintegrity-mvhfq 1/1 Running 0 23s
aide-example-fileintegrity-rsg57 1/1 Running 0 23s
aide-example-fileintegrity-vvrdj 1/1 Running 0 23s
file-integrity-operator-79bbc8dc86-2dk42 1/1 Running 0 59s
$ oc get fileintegrity example-fileintegrity -o=jsonpath={.status}
{"phase":"Active"}
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift File Integrity Operator bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:5538 |
Version-Release number of selected component (if applicable): File integrity operator + file-integrity-operator.v0.1.29 High How reproducible: Always Description of problem: pods "aide-example-fileintegrity-" failed to create after file integrity operator upgrade from v0.1.24 to v0.1.29 $ oc get fileintegrity example-fileintegrity -o=jsonpath={.status} {"phase":"Initializing"} $ oc describe daemonset aide-example-fileintegrity | tail Type Reason Age From Message ---- ------ ---- ---- ------- Normal SuccessfulCreate 11m daemonset-controller Created pod: aide-example-fileintegrity-8rrdw Normal SuccessfulCreate 11m daemonset-controller Created pod: aide-example-fileintegrity-2k9sr Normal SuccessfulCreate 11m daemonset-controller Created pod: aide-example-fileintegrity-hzbpz Normal SuccessfulCreate 11m daemonset-controller Created pod: aide-example-fileintegrity-zcg6b Normal SuccessfulCreate 11m daemonset-controller Created pod: aide-example-fileintegrity-lxh9q Normal SuccessfulCreate 11m daemonset-controller Created pod: aide-example-fileintegrity-szssh Normal SuccessfulDelete 8m39s daemonset-controller Deleted pod: aide-example-fileintegrity-2k9sr Warning FailedCreate 4m39s (x23 over 8m19s) daemonset-controller Error creating: pods "aide-example-fileintegrity-" is forbidden: error looking up service account openshift-file-integrity/file-integrity-daemon: serviceaccount "file-integrity-daemon" not found How reproducible: Always Steps to Reproduce: installed released version v0.1.24 upgrade to latest version v0.1.29 Actual results: File integrity upgrade succeeded, but pods for daemonset failed to create $ oc get ip NAME CSV APPROVAL APPROVED install-cttq5 file-integrity-operator.v0.1.29 Automatic true install-qdcq5 file-integrity-operator.v0.1.24 Automatic true $ oc get csv -w NAME DISPLAY VERSION REPLACES PHASE elasticsearch-operator.v5.5.0 OpenShift Elasticsearch Operator 5.5.0 Succeeded file-integrity-operator.v0.1.24 File Integrity Operator 0.1.24 Replacing file-integrity-operator.v0.1.29 File Integrity Operator 0.1.29 file-integrity-operator.v0.1.24 Installing file-integrity-operator.v0.1.29 File Integrity Operator 0.1.29 file-integrity-operator.v0.1.24 Succeeded file-integrity-operator.v0.1.24 File Integrity Operator 0.1.24 Deleting file-integrity-operator.v0.1.24 File Integrity Operator 0.1.24 Deleting ^C$ oc get pod -w NAME READY STATUS RESTARTS AGE aide-example-fileintegrity-2k9sr 1/1 Terminating 0 2m44s aide-example-fileintegrity-8rrdw 1/1 Terminating 0 2m44s aide-example-fileintegrity-hzbpz 1/1 Terminating 0 2m44s aide-example-fileintegrity-lxh9q 1/1 Terminating 0 2m44s aide-example-fileintegrity-szssh 1/1 Terminating 0 2m44s aide-example-fileintegrity-zcg6b 1/1 Terminating 0 2m44s file-integrity-operator-5ddddddf69-lmn6q 1/1 Terminating 1 (4m54s ago) 5m11s file-integrity-operator-6cfdc94d56-w8r5p 1/1 Running 0 18s ^C$ oc get fileintegrity NAME AGE example-fileintegrity 2m56s $ oc get pod -w NAME READY STATUS RESTARTS AGE file-integrity-operator-5ddddddf69-lmn6q 1/1 Terminating 1 (5m14s ago) 5m31s file-integrity-operator-6cfdc94d56-w8r5p 1/1 Running 0 38s file-integrity-operator-5ddddddf69-lmn6q 0/1 Terminating 1 (5m16s ago) 5m33s file-integrity-operator-5ddddddf69-lmn6q 0/1 Terminating 1 (5m16s ago) 5m33s file-integrity-operator-5ddddddf69-lmn6q 0/1 Terminating 1 (5m16s ago) 5m33s ^$ oc get fileintegrity example-fileintegrity -o=jsonpath={.status} e' {"phase":"Initializing"} $ oc get pod NAME READY STATUS RESTARTS AGE file-integrity-operator-6cfdc94d56-w8r5p 1/1 Running 0 78s $ oc describe daemonset aide-example-fileintegrity | tail Type Reason Age From Message ---- ------ ---- ---- ------- Normal SuccessfulCreate 11m daemonset-controller Created pod: aide-example-fileintegrity-8rrdw Normal SuccessfulCreate 11m daemonset-controller Created pod: aide-example-fileintegrity-2k9sr Normal SuccessfulCreate 11m daemonset-controller Created pod: aide-example-fileintegrity-hzbpz Normal SuccessfulCreate 11m daemonset-controller Created pod: aide-example-fileintegrity-zcg6b Normal SuccessfulCreate 11m daemonset-controller Created pod: aide-example-fileintegrity-lxh9q Normal SuccessfulCreate 11m daemonset-controller Created pod: aide-example-fileintegrity-szssh Normal SuccessfulDelete 8m39s daemonset-controller Deleted pod: aide-example-fileintegrity-2k9sr Warning FailedCreate 4m39s (x23 over 8m19s) daemonset-controller Error creating: pods "aide-example-fileintegrity-" is forbidden: error looking up service account openshift-file-integrity/file-integrity-daemon: serviceaccount "file-integrity-daemon" not found Expected Result: File integrity operator upgrade succeeded. Pod for daemonset created successfully.