Description of problem: The DaemonSet machine-api-termination-handler couldn’t allocate any Pod due to SCC Version-Release number of selected component (if applicable): 4.5.0-0.nightly-2020-04-12-180647 How reproducible: Always Steps to Reproduce: 1. Create a spot instance 2. Check daemonset machine-api-termination-handler 3. Actual results: $ oc get ds NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE machine-api-termination-handler 0 0 0 0 0 machine.openshift.io/interruptible-instance= 148m $ oc get node --show-labels |grep machine.openshift.io/interruptible-instance= ip-10-0-166-52.us-east-2.compute.internal Ready worker 50m v1.17.1 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/instance-type=m4.large,beta.kubernetes.io/os=linux,failure-domain.beta.kubernetes.io/region=us-east-2,failure-domain.beta.kubernetes.io/zone=us-east-2c,kubernetes.io/arch=amd64,kubernetes.io/hostname=ip-10-0-166-52,kubernetes.io/os=linux,machine.openshift.io/interruptible-instance=,node-role.kubernetes.io/worker=,node.kubernetes.io/instance-type=m4.large,node.openshift.io/os_id=rhcos,topology.kubernetes.io/region=us-east-2,topology.kubernetes.io/zone=us-east-2c $ oc describe ds machine-api-termination-handler Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning FailedCreate 47s (x60 over 4h26m) daemonset-controller Error creating: pods "machine-api-termination-handler-" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used] Expected results: DaemonSet machine-api-termination-handler could create Pods on node with label "machine.openshift.io/interruptible-instance=" Additional info: After add the ServiceAccount to a scc with enough privileges. $ oc adm policy add-scc-to-user privileged system:serviceaccount:machine-api-termination-handler:machine-api-termination-handler securitycontextconstraints.security.openshift.io/privileged added to: ["system:serviceaccount:machine-api-termination-handler:machine-api-termination-handler"] $ oc get ds NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE machine-api-termination-handler 1 1 1 1 1 machine.openshift.io/interruptible-instance= 6h29m
In case anyone is looking at this, the following has the wrong namespace for the service account, it should be openshift-machine-api > After add the ServiceAccount to a scc with enough privileges. > $ oc adm policy add-scc-to-user privileged system:serviceaccount:machine-api-termination-handler:machine-api-termination-handler > securitycontextconstraints.security.openshift.io/privileged added to: ["system:serviceaccount:machine-api-termination-handler:machine-api-termination-handler"] We can also use the hostnetwork scc rather than the privileged one, it has fewer privileges $ oc adm policy add-scc-to-user hostnetwork system:serviceaccount:openshift-machine-api:machine-api-termination-handler Will look into how to install this by default
Verified clusterversion: 4.5.0-0.nightly-2020-04-14-221451 $ oc get ds NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE machine-api-termination-handler 1 1 1 1 1 machine.openshift.io/interruptible-instance= 33m $ oc get po NAME READY STATUS RESTARTS AGE cluster-autoscaler-operator-5996c77467-msjg6 2/2 Running 0 33m machine-api-controllers-58cdd794bf-gz46c 4/4 Running 0 34m machine-api-operator-6f857c9fb7-v9xml 2/2 Running 0 35m machine-api-termination-handler-5s8sf 1/1 Running 0 5m1s
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409