1947248 – Compliance Operator fails to deploy if a defaultNodeSelector is set in Scheduler config - cluster

Bug 1947248 - Compliance Operator fails to deploy if a defaultNodeSelector is set in Scheduler config - cluster

Summary: Compliance Operator fails to deploy if a defaultNodeSelector is set in Schedu...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Documentation
Sub Component:
Version:	4.6
Hardware:	All
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.8.0
Assignee:	Ashley Hardin
QA Contact:	Xiaoli Tian
Docs Contact:	Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-04-08 05:08 UTC by Sunil Thaha
Modified:	2024-06-14 01:09 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	Cause: Setting a default nodeSelector may add an unexpected value to the default nodeSelectors the compliance scans use Consequence: This causes the operator to not be able to schedule all the scans it needs in order to do a compliance check Workaround (if any): The openshift-compliance namespace (or the namespace where the compliance operator was installed) may need to be annotated with: openshift.io/node-selector: "" To remove the default node selector. Result: Once this is done, the operator should work as usual.
Clone Of:
Environment:
Last Closed:	2021-05-05 20:16:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift openshift-docs pull 31746	0	None	open	Bug 1947248, added note to Compliance Operator installation instructions	2021-04-22 06:06:48 UTC

Description Sunil Thaha 2021-04-08 05:08:49 UTC

Description of problem:
Compliance Operator fails to deploy (pods in pending status for ever) if the user has defaultNodeSelector  set in scheduler - cluster. 

Version-Release number of selected component (if applicable): 0.1.29 


How reproducible: Always

Steps to Reproduce:
1. oc edit scheduler cluster

2. set `defaultNodeSelector` to worker as below 
   defaultNodeSelector: node-role.kubernetes.io/worker=

3. Use OLM to install the Compliance Operator 

Actual results:

The Compliance Operator pod gets created but is in `Pending` state of ever. 
Inspecting the Pod shows that its nodeSelector now has 2 values 

nodeSelector:
    node-role.kubernetes.io/master: ""
    node-role.kubernetes.io/worker: ""
 
Thus making none of the nodes match the selector 



Expected results: The operator should be in `Running` state 


Additional info:

There exists a workaround for this which is to create apply the following annotation to openshift-compliance (default project that OLM chooses) project

 openshift.io/node-selector: “”

Comment 1 Juan Antonio Osorio 2021-04-08 05:51:44 UTC

Note that this is an issue when installing the operator through the UI. When installing the operator through the CLI, one needs to create the namespace manually, and thus is able to set the needed annotations. We'll investigate if we can indicate to the UI what annotations we need.

Either way, we need to document this scenario. Thanks for reporting this!

Comment 2 Ashley Hardin 2021-05-05 19:24:15 UTC

The docs update is in https://github.com/openshift/openshift-docs/pull/31746 and QE verified in the PR

Comment 3 Ashley Hardin 2021-05-05 20:16:47 UTC

This content is now published:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/security_and_compliance/compliance-operator#installing-compliance-operator-cli_compliance-operator-installation
https://docs.openshift.com/container-platform/4.7/security/compliance_operator/compliance-operator-installation.html#installing-compliance-operator-cli_compliance-operator-installation

Note You need to log in before you can comment on or make changes to this bug.