Description of problem: A persistent volume is failing to reccle stateing that it violates PodSecurity "baseline:latest". Version-Release number of selected component (if applicable): Server Version: 4.11.0-fc.3 How reproducible: Only happened once so far. Steps to Reproduce: 1. Create a pv with the recycle reclaim policy, and pvc/deployment to use it. 2. Delete the pvc/deployment 3. Receive an error when the pv should be recycled. Actual results: Received an error in the WebUI that the PV was in a failed state and on further investigation saw: status: message: 'Recycle failed: unexpected error creating recycler pod: pods "recycler-for-pv-87" is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volume "vol")' phase: Failed Expected results: PV is recycled correctly. Additional info: Full PV definition: apiVersion: v1 kind: PersistentVolume metadata: annotations: pv.kubernetes.io/bound-by-controller: "yes" creationTimestamp: "2022-06-26T00:28:50Z" finalizers: - kubernetes.io/pv-protection labels: type: local name: pv-87 resourceVersion: "121724" uid: 84126842-f67b-4e0d-a301-3e43fa94e4c5 spec: accessModes: - ReadWriteOnce - ReadWriteMany capacity: storage: 10Gi claimRef: apiVersion: v1 kind: PersistentVolumeClaim name: mariadb.12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 namespace: mediawiki resourceVersion: "118679" uid: b1f03d4e-a3ec-42be-ad9a-53a0fd3eca6d hostPath: path: /srv/openshift/pv-87 type: "" persistentVolumeReclaimPolicy: Recycle storageClassName: manual volumeMode: Filesystem status: message: 'Recycle failed: unexpected error creating recycler pod: pods "recycler-for-pv-87" is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volume "vol")' phase: Failed
Jason, please note that recycler has been deprecated for a really long time and it should not be used for any production volumes.
Thanks, I didn't realize that, but see it mentioned in the docs now. https://docs.openshift.com/container-platform/4.10/storage/understanding-persistent-storage.html I'm fine if this will be closed WONTFIX if that's the case and thanks for the heads up!
Verified pass on 4.12.0-0.nightly-2022-09-02-194931 1. Checking the pod-security label in ns openshift-infra $ oc get ns openshift-infra -o json | jq .metadata.labels { "kubernetes.io/metadata.name": "openshift-infra", "pod-security.kubernetes.io/audit": "privileged", "pod-security.kubernetes.io/enforce": "privileged", "pod-security.kubernetes.io/warn": "privileged" } 2. Creating pod+pvc+pv(with nfs+Recycle), and the deleting pod+pvc, checking the recycler pod works well. recycler-for-pv-nfs 0/1 Pending 0 0s recycler-for-pv-nfs 0/1 Pending 0 0s recycler-for-pv-nfs 0/1 Pending 0 0s recycler-for-pv-nfs 0/1 ContainerCreating 0 0s recycler-for-pv-nfs 0/1 ContainerCreating 0 2s recycler-for-pv-nfs 0/1 Completed 0 7s recycler-for-pv-nfs 0/1 Completed 0 9s recycler-for-pv-nfs 0/1 Terminating 0 9s recycler-for-pv-nfs 0/1 Terminating 0 9s Update status to "VERIFIED"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:7399