Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2082099

Summary: The seccompprofile could not reach “installed” status due to length limitation when trying to create finalizer
Product: OpenShift Container Platform Reporter: xiyuan
Component: Security Profiles OperatorAssignee: Vincent Shen <wenshen>
Status: CLOSED ERRATA QA Contact: xiyuan
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.11CC: davegord, jhrozek, lbragsta, wenshen
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-18 11:36:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description xiyuan 2022-05-05 11:54:17 UTC 
Description of problem:
When Security Profiles Operator installation complete, check the seccompprofile status, the seccompprofiles’s status may stuck at “Pending”:
$ oc get seccompprofiles
NAME                 STATUS    AGE
log-enricher-trace   Pending   5m49s
nginx-1.19.1         Pending   5m49s

Version-Release number of selected component (if applicable):
4.11.0-0.nightly-2022-05-04-214114 + security-profiles-operator-bundle-container-0.4.3-17


How reproducible:
Sometimes

Steps to Reproduce:
1. Login OCP as administrator, Install Operator “Security Profiles Operator” 
2. Check the seccompprofile status

Actual results:
The seccompprofiles’s status is stuck at “Pending”. The securityprofilenodestatuses only show for master nodes,not for worker nodes.


$ oc get seccompprofiles.security-profiles-operator.x-k8s.io  -w
NAME                 STATUS    AGE
log-enricher-trace   Pending   5m49s
nginx-1.19.1         Pending   5m49s
$ oc get securityprofilenodestatuses
NAME                                                                     STATUS      AGE
log-enricher-trace-xiyuan-0505a-hhbhz-master-0.c.openshift-qe.internal   Installed   15m
log-enricher-trace-xiyuan-0505a-hhbhz-master-1.c.openshift-qe.internal   Installed   15m
log-enricher-trace-xiyuan-0505a-hhbhz-master-2.c.openshift-qe.internal   Installed   16m
nginx-1.19.1-xiyuan-0505a-hhbhz-master-0.c.openshift-qe.internal         Installed   15m
nginx-1.19.1-xiyuan-0505a-hhbhz-master-1.c.openshift-qe.internal         Installed   15m
nginx-1.19.1-xiyuan-0505a-hhbhz-master-2.c.openshift-qe.internal         Installed   16m


Check the spod log for one worker node:
$ oc logs pod/spod-svjg6 --all-containers
…
E0505 09:52:56.950909       1 controller.go:317] controller/profile "msg"="Reconciler error" "error"="cannot ensure node status: cannot create finalizer for log-enricher-trace: wait on retry: retry function: SeccompProfile.security-profiles-operator.x-k8s.io \"log-enricher-trace\" is invalid: metadata.finalizers: Invalid value: \"xiyuan-0505a-hhbhz-worker-c-h49fs.c.openshift-qe.internal-delete\": name part must be no more than 63 characters" "name"="log-enricher-trace" "namespace"="security-profiles-operator" "reconciler group"="security-profiles-operator.x-k8s.io" "reconciler kind"="SeccompProfile"
E0505 09:52:56.957882       1 controller.go:317] controller/profile "msg"="Reconciler error" "error"="cannot ensure node status: cannot create finalizer for nginx-1.19.1: wait on retry: retry function: SeccompProfile.security-profiles-operator.x-k8s.io \"nginx-1.19.1\" is invalid: metadata.finalizers: Invalid value: \"xiyuan-0505a-hhbhz-worker-c-h49fs.c.openshift-qe.internal-delete\": name part must be no more than 63 characters" "name"="nginx-1.19.1" "namespace"="security-profiles-operator" "reconciler group"="security-profiles-operator.x-k8s.io" "reconciler kind"="SeccompProfile"
E0505 09:53:29.070423       1 controller.go:317] controller/profile "msg"="Reconciler error" "error"="cannot ensure node status: cannot create finalizer for log-enricher-trace: wait on retry: retry function: SeccompProfile.security-profiles-operator.x-k8s.io \"log-enricher-trace\" is invalid: metadata.finalizers: Invalid value: \"xiyuan-0505a-hhbhz-worker-c-h49fs.c.openshift-qe.internal-delete\": name part must be no more than 63 characters" "name"="log-enricher-trace" "namespace"="security-profiles-operator" "reconciler group"="security-profiles-operator.x-k8s.io" "reconciler kind"="SeccompProfile"
E0505 09:53:29.079574       1 controller.go:317] controller/profile "msg"="Reconciler error" "error"="cannot ensure node status: cannot create finalizer for nginx-1.19.1: wait on retry: retry function: SeccompProfile.security-profiles-operator.x-k8s.io \"nginx-1.19.1\" is invalid: metadata.finalizers: Invalid value: \"xiyuan-0505a-hhbhz-worker-c-h49fs.c.openshift-qe.internal-delete\": name part must be no more than 63 characters" "name"="nginx-1.19.1" "namespace"="security-profiles-operator" "reconciler group"="security-profiles-operator.x-k8s.io" "reconciler kind"="SeccompProfile"
…

Expected results:
The seccompprofile should be in “Installed” status, instead of “Pending”. The securityprofilenodestatuses should show for both master nodes and worker nodes.



Additional info:
Comment 3 Jakub Hrozek 2022-06-03 11:16:40 UTC 
Reviewed, legit bug.
Comment 7 xiyuan 2022-12-21 14:43:54 UTC 
Verification pass with 4.13.0-0.nightly-2022-12-20-174734 + security-profiles-operator-bundle-container-0.5.0-62
$ oc get all
NAME                                                      READY   STATUS    RESTARTS   AGE
pod/security-profiles-operator-6587778674-4b9wl           1/1     Running   0          3m4s
pod/security-profiles-operator-6587778674-4bbpl           1/1     Running   0          3m4s
pod/security-profiles-operator-6587778674-t8rbn           1/1     Running   0          3m4s
pod/security-profiles-operator-webhook-5878c5bc9b-4xnsl   1/1     Running   0          2m56s
pod/security-profiles-operator-webhook-5878c5bc9b-m9kgb   1/1     Running   0          2m56s
pod/security-profiles-operator-webhook-5878c5bc9b-zcxmq   1/1     Running   0          2m56s
pod/spod-8vxlw                                            4/4     Running   0          2m56s
pod/spod-bhxxp                                            4/4     Running   0          2m56s
pod/spod-ht5mp                                            4/4     Running   0          2m56s
pod/spod-xmzrt                                            4/4     Running   0          2m56s
pod/spod-zch5k                                            4/4     Running   0          2m56s
pod/spod-zxbxr                                            4/4     Running   0          2m56s

NAME                      TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
service/metrics           ClusterIP   172.30.160.27    <none>        443/TCP   2m57s
service/webhook-service   ClusterIP   172.30.116.102   <none>        443/TCP   2m57s

NAME                  DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            AGE
daemonset.apps/spod   6         6         6       6            6           kubernetes.io/os=linux   2m57s

NAME                                                 READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/security-profiles-operator           3/3     3            3           3m5s
deployment.apps/security-profiles-operator-webhook   3/3     3            3           2m57s

NAME                                                            DESIRED   CURRENT   READY   AGE
replicaset.apps/security-profiles-operator-6587778674           3         3         3       3m6s
replicaset.apps/security-profiles-operator-webhook-5878c5bc9b   3         3         3       2m58s
$ oc get node --no-headers | awk '{print $1}' > node_name.txt
$ cat node_name.txt 
xiyuan-1221c-g2cst-master-0.c.openshift-qe.internal
xiyuan-1221c-g2cst-master-1.c.openshift-qe.internal
xiyuan-1221c-g2cst-master-2.c.openshift-qe.internal
xiyuan-1221c-g2cst-worker-a-kljxp.c.openshift-qe.internal
xiyuan-1221c-g2cst-worker-b-csp5b.c.openshift-qe.internal
xiyuan-1221c-g2cst-worker-c-87j47.c.openshift-qe.internal
$ awk -F "" '{print NF}' node_name.txt 
51
51
51
57
57
57
$ oc get sp
NAME                 STATUS      AGE
log-enricher-trace   Installed   12m
nginx-1.19.1         Installed   12m
#############When the node name > 55(limit 63-len(-deleted)), the finalizer will not show the full node name:
$ oc get sp log-enricher-trace -o=jsonpath={.metadata.finalizers} | jq -r
[
  "xiyuan-1221c-g2cst-worker-b-csp5b.c.openshift-qe.intern-deleted",
  "xiyuan-1221c-g2cst-worker-a-kljxp.c.openshift-qe.intern-deleted",
  "xiyuan-1221c-g2cst-master-1.c.openshift-qe.internal-deleted",
  "xiyuan-1221c-g2cst-worker-c-87j47.c.openshift-qe.intern-deleted",
  "xiyuan-1221c-g2cst-master-0.c.openshift-qe.internal-deleted",
  "xiyuan-1221c-g2cst-master-2.c.openshift-qe.internal-deleted"
]

$ oc get sp nginx-1.19.1 -o=jsonpath={.metadata.finalizers} | jq -r
[
  "xiyuan-1221c-g2cst-worker-b-csp5b.c.openshift-qe.intern-deleted",
  "xiyuan-1221c-g2cst-worker-a-kljxp.c.openshift-qe.intern-deleted",
  "xiyuan-1221c-g2cst-master-1.c.openshift-qe.internal-deleted",
  "xiyuan-1221c-g2cst-worker-c-87j47.c.openshift-qe.intern-deleted",
  "xiyuan-1221c-g2cst-master-0.c.openshift-qe.internal-deleted",
  "xiyuan-1221c-g2cst-master-2.c.openshift-qe.internal-deleted"
]
Comment 10 errata-xmlrpc 2023-01-18 11:36:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Security Profiles Operator release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8762