Bug 1992231 - hostpath-provisioner Pods are not created
Summary: hostpath-provisioner Pods are not created
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Storage
Version: 4.10.0
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: 4.10.0
Assignee: Alexander Wels
QA Contact: Jenia Peimer
URL:
Whiteboard:
: 1992244 (view as bug list)
Depends On:
Blocks: 2008949
TreeView+ depends on / blocked
 
Reported: 2021-08-10 18:47 UTC by Denis Ollier
Modified: 2022-03-16 15:53 UTC (History)
4 users (show)

Fixed In Version: hostpath-provisioner-operator-v4.10.0-32, hco-v4.10.0-337
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-16 15:51:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github kubevirt hostpath-provisioner-operator pull 123 0 None Merged Update generated SCC to use with CSI. 2021-11-08 13:42:02 UTC
Github kubevirt hostpath-provisioner-operator pull 148 0 None Merged Enable leader election for csi-provisioner and snapshotter 2021-10-25 04:48:22 UTC
Github kubevirt hostpath-provisioner-operator pull 150 0 None Merged Generate the crds and roles from the operator.yaml. 2021-11-07 08:47:19 UTC
Github kubevirt hostpath-provisioner-operator pull 151 0 None Merged Add feature gate field to hpp CR so we can optionally disable features. 2021-11-07 08:47:19 UTC
Github kubevirt hostpath-provisioner-operator pull 152 0 None Merged Add snapshot featuregate support 2021-11-07 08:47:19 UTC
Github kubevirt hostpath-provisioner-operator pull 153 0 None Merged Switch listType to atomic 2021-11-07 08:47:19 UTC
Github kubevirt hostpath-provisioner-operator pull 155 0 None Merged Generate operator deployment in csv-generator 2021-11-07 08:47:19 UTC
Github kubevirt hostpath-provisioner-operator pull 168 0 None Merged Added proper resource on webhook definition 2021-11-14 09:57:27 UTC
Github kubevirt hostpath-provisioner-operator pull 169 0 None Merged Sync generated resources 2021-11-17 13:37:49 UTC
Red Hat Product Errata RHSA-2022:0947 0 None None None 2022-03-16 15:53:09 UTC

Description Denis Ollier 2021-08-10 18:47:13 UTC 
Description of problem
----------------------

After creating a HostPathProvisioner CustomResource, the DaemonSet is created by the hostpath-provisioner-operator but hostpath-provisioner Pods are not created.

Analysis
--------

The hostpath-provisioner Pod template has been modified in upstream PR https://github.com/kubevirt/hostpath-provisioner-operator/pull/113.

Among other changes, the Pod is now privileged.

> kind: DaemonSet
> apiVersion: apps/v1
> metadata:
>   name: hostpath-provisioner
>   namespace: openshift-cnv
> spec:
>   [...]
>   template:
>     [...]
>     spec:
>       containers:
>         - name: hostpath-provisioner
>           [...]
>           securityContext:
>             privileged: true
>           [...]

However the SCC has not been updated to allow such privileges

> kind: SecurityContextConstraints
> apiVersion: security.openshift.io/v1
> metadata:
>   name: hostpath-provisioner
> [...]
> allowPrivilegedContainer: false
> [...]
> users:
> - system:serviceaccount:openshift-cnv:hostpath-provisioner-admin
> [...]

Modifying the SCC to allow privileged containers (after scaling down the hostpath-provisioner-operator) fixes the issue.

Version
-------
OCP: 4.9.0-0.nightly
CNV: http://cnv-version-explorer.apps.cnv.engineering.redhat.com/BundleDetails?ver=v4.9.0-89
Comment 1 Denis Ollier 2021-08-12 08:10:32 UTC 
Fixed upstream in https://github.com/kubevirt/hostpath-provisioner-operator/pull/123.

Verified with http://cnv-version-explorer.apps.cnv.engineering.redhat.com/BundleDetails?ver=v4.9.0-99.
Comment 2 Yan Du 2021-08-16 09:36:39 UTC 
The feature should be fully addressed in CNV 4.10, so change the version to 4.10
If the issue can not be reproduced on 4.10, feel free to close it.
Comment 3 Maya Rashish 2021-10-13 09:12:05 UTC 
Verified as already fixed in 4.9.0-99 by Denis Ollier. This means it's in 4.9.0 already.
Comment 4 Maya Rashish 2021-10-13 09:15:32 UTC 
Undoing previous, I didn't realize that cnv-4.9 went backwards and the breakage is now specific to 4.10 and should be fixed in 4.10.
Comment 5 Maya Rashish 2021-10-13 09:21:47 UTC 
Fix for v4.10.0 should be from hostpath-provisioner-operator v4.10.0-4.
Comment 12 Maya Rashish 2021-11-14 09:50:30 UTC 
*** Bug 1992244 has been marked as a duplicate of this bug. ***
Comment 19 errata-xmlrpc 2022-03-16 15:51:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 4.10.0 Images security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0947
Note You need to log in before you can comment on or make changes to this bug.