Description of problem: When Security Profiles Operator installation complete, check the seccompprofile status, the seccompprofiles’s status may stuck at “Pending”: $ oc get seccompprofiles NAME STATUS AGE log-enricher-trace Pending 5m49s nginx-1.19.1 Pending 5m49s Version-Release number of selected component (if applicable): 4.11.0-0.nightly-2022-05-04-214114 + security-profiles-operator-bundle-container-0.4.3-17 How reproducible: Sometimes Steps to Reproduce: 1. Login OCP as administrator, Install Operator “Security Profiles Operator” 2. Check the seccompprofile status Actual results: The seccompprofiles’s status is stuck at “Pending”. The securityprofilenodestatuses only show for master nodes,not for worker nodes. $ oc get seccompprofiles.security-profiles-operator.x-k8s.io -w NAME STATUS AGE log-enricher-trace Pending 5m49s nginx-1.19.1 Pending 5m49s $ oc get securityprofilenodestatuses NAME STATUS AGE log-enricher-trace-xiyuan-0505a-hhbhz-master-0.c.openshift-qe.internal Installed 15m log-enricher-trace-xiyuan-0505a-hhbhz-master-1.c.openshift-qe.internal Installed 15m log-enricher-trace-xiyuan-0505a-hhbhz-master-2.c.openshift-qe.internal Installed 16m nginx-1.19.1-xiyuan-0505a-hhbhz-master-0.c.openshift-qe.internal Installed 15m nginx-1.19.1-xiyuan-0505a-hhbhz-master-1.c.openshift-qe.internal Installed 15m nginx-1.19.1-xiyuan-0505a-hhbhz-master-2.c.openshift-qe.internal Installed 16m Check the spod log for one worker node: $ oc logs pod/spod-svjg6 --all-containers … E0505 09:52:56.950909 1 controller.go:317] controller/profile "msg"="Reconciler error" "error"="cannot ensure node status: cannot create finalizer for log-enricher-trace: wait on retry: retry function: SeccompProfile.security-profiles-operator.x-k8s.io \"log-enricher-trace\" is invalid: metadata.finalizers: Invalid value: \"xiyuan-0505a-hhbhz-worker-c-h49fs.c.openshift-qe.internal-delete\": name part must be no more than 63 characters" "name"="log-enricher-trace" "namespace"="security-profiles-operator" "reconciler group"="security-profiles-operator.x-k8s.io" "reconciler kind"="SeccompProfile" E0505 09:52:56.957882 1 controller.go:317] controller/profile "msg"="Reconciler error" "error"="cannot ensure node status: cannot create finalizer for nginx-1.19.1: wait on retry: retry function: SeccompProfile.security-profiles-operator.x-k8s.io \"nginx-1.19.1\" is invalid: metadata.finalizers: Invalid value: \"xiyuan-0505a-hhbhz-worker-c-h49fs.c.openshift-qe.internal-delete\": name part must be no more than 63 characters" "name"="nginx-1.19.1" "namespace"="security-profiles-operator" "reconciler group"="security-profiles-operator.x-k8s.io" "reconciler kind"="SeccompProfile" E0505 09:53:29.070423 1 controller.go:317] controller/profile "msg"="Reconciler error" "error"="cannot ensure node status: cannot create finalizer for log-enricher-trace: wait on retry: retry function: SeccompProfile.security-profiles-operator.x-k8s.io \"log-enricher-trace\" is invalid: metadata.finalizers: Invalid value: \"xiyuan-0505a-hhbhz-worker-c-h49fs.c.openshift-qe.internal-delete\": name part must be no more than 63 characters" "name"="log-enricher-trace" "namespace"="security-profiles-operator" "reconciler group"="security-profiles-operator.x-k8s.io" "reconciler kind"="SeccompProfile" E0505 09:53:29.079574 1 controller.go:317] controller/profile "msg"="Reconciler error" "error"="cannot ensure node status: cannot create finalizer for nginx-1.19.1: wait on retry: retry function: SeccompProfile.security-profiles-operator.x-k8s.io \"nginx-1.19.1\" is invalid: metadata.finalizers: Invalid value: \"xiyuan-0505a-hhbhz-worker-c-h49fs.c.openshift-qe.internal-delete\": name part must be no more than 63 characters" "name"="nginx-1.19.1" "namespace"="security-profiles-operator" "reconciler group"="security-profiles-operator.x-k8s.io" "reconciler kind"="SeccompProfile" … Expected results: The seccompprofile should be in “Installed” status, instead of “Pending”. The securityprofilenodestatuses should show for both master nodes and worker nodes. Additional info:
Reviewed, legit bug.
Verification pass with 4.13.0-0.nightly-2022-12-20-174734 + security-profiles-operator-bundle-container-0.5.0-62 $ oc get all NAME READY STATUS RESTARTS AGE pod/security-profiles-operator-6587778674-4b9wl 1/1 Running 0 3m4s pod/security-profiles-operator-6587778674-4bbpl 1/1 Running 0 3m4s pod/security-profiles-operator-6587778674-t8rbn 1/1 Running 0 3m4s pod/security-profiles-operator-webhook-5878c5bc9b-4xnsl 1/1 Running 0 2m56s pod/security-profiles-operator-webhook-5878c5bc9b-m9kgb 1/1 Running 0 2m56s pod/security-profiles-operator-webhook-5878c5bc9b-zcxmq 1/1 Running 0 2m56s pod/spod-8vxlw 4/4 Running 0 2m56s pod/spod-bhxxp 4/4 Running 0 2m56s pod/spod-ht5mp 4/4 Running 0 2m56s pod/spod-xmzrt 4/4 Running 0 2m56s pod/spod-zch5k 4/4 Running 0 2m56s pod/spod-zxbxr 4/4 Running 0 2m56s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/metrics ClusterIP 172.30.160.27 <none> 443/TCP 2m57s service/webhook-service ClusterIP 172.30.116.102 <none> 443/TCP 2m57s NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE daemonset.apps/spod 6 6 6 6 6 kubernetes.io/os=linux 2m57s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/security-profiles-operator 3/3 3 3 3m5s deployment.apps/security-profiles-operator-webhook 3/3 3 3 2m57s NAME DESIRED CURRENT READY AGE replicaset.apps/security-profiles-operator-6587778674 3 3 3 3m6s replicaset.apps/security-profiles-operator-webhook-5878c5bc9b 3 3 3 2m58s $ oc get node --no-headers | awk '{print $1}' > node_name.txt $ cat node_name.txt xiyuan-1221c-g2cst-master-0.c.openshift-qe.internal xiyuan-1221c-g2cst-master-1.c.openshift-qe.internal xiyuan-1221c-g2cst-master-2.c.openshift-qe.internal xiyuan-1221c-g2cst-worker-a-kljxp.c.openshift-qe.internal xiyuan-1221c-g2cst-worker-b-csp5b.c.openshift-qe.internal xiyuan-1221c-g2cst-worker-c-87j47.c.openshift-qe.internal $ awk -F "" '{print NF}' node_name.txt 51 51 51 57 57 57 $ oc get sp NAME STATUS AGE log-enricher-trace Installed 12m nginx-1.19.1 Installed 12m #############When the node name > 55(limit 63-len(-deleted)), the finalizer will not show the full node name: $ oc get sp log-enricher-trace -o=jsonpath={.metadata.finalizers} | jq -r [ "xiyuan-1221c-g2cst-worker-b-csp5b.c.openshift-qe.intern-deleted", "xiyuan-1221c-g2cst-worker-a-kljxp.c.openshift-qe.intern-deleted", "xiyuan-1221c-g2cst-master-1.c.openshift-qe.internal-deleted", "xiyuan-1221c-g2cst-worker-c-87j47.c.openshift-qe.intern-deleted", "xiyuan-1221c-g2cst-master-0.c.openshift-qe.internal-deleted", "xiyuan-1221c-g2cst-master-2.c.openshift-qe.internal-deleted" ] $ oc get sp nginx-1.19.1 -o=jsonpath={.metadata.finalizers} | jq -r [ "xiyuan-1221c-g2cst-worker-b-csp5b.c.openshift-qe.intern-deleted", "xiyuan-1221c-g2cst-worker-a-kljxp.c.openshift-qe.intern-deleted", "xiyuan-1221c-g2cst-master-1.c.openshift-qe.internal-deleted", "xiyuan-1221c-g2cst-worker-c-87j47.c.openshift-qe.intern-deleted", "xiyuan-1221c-g2cst-master-0.c.openshift-qe.internal-deleted", "xiyuan-1221c-g2cst-master-2.c.openshift-qe.internal-deleted" ]
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Security Profiles Operator release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8762