Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-4099

The selinuxprofile will stuck at “InProgress” status because of serviceaccount Permission issue

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Description of problem:

      The selinuxprofile will stuck at “InProgress” status because of serviceaccount permission issue
$ oc get selinuxprofiles.security-profiles-operator.x-k8s.io  -w
NAME                      USAGE                             STATE
error-logger-enforcing    error-logger-enforcing.process    InProgress
error-logger-permissive   error-logger-permissive.process   InProgress
error-logger-y260dzy3og                                     
nginx-secure              nginx-secure.process              InProgress
nginx-secureowd38j7sd0    nginx-secureowd38j7sd0.process    InProgress
$ oc logs pod/spod-2q8l7  -c security-profiles-operator
I0209 03:11:11.772209       1 common_controller.go:315] "Checking if policy deployed" logger="selinuxprofile" Request.Namespace="" Request.Name="error-logger-permissive" policyName="error-logger-permissive"
I0209 03:11:12.010486       1 common_controller.go:172] "Reconciling object in selinuxprofile" logger="selinuxprofile" Request.Namespace="" Request.Name="nginx-secureowd38j7sd0"
I0209 03:11:12.011094       1 common_controller.go:315] "Checking if policy deployed" logger="selinuxprofile" Request.Namespace="" Request.Name="nginx-secureowd38j7sd0" policyName="nginx-secureowd38j7sd0"
I0209 03:11:12.030765       1 common_controller.go:172] "Reconciling object in selinuxprofile" logger="selinuxprofile" Request.Namespace="" Request.Name="error-logger-enforcing"
I0209 03:11:12.031294       1 common_controller.go:315] "Checking if policy deployed" logger="selinuxprofile" Request.Namespace="" Request.Name="error-logger-enforcing" policyName="error-logger-enforcing"
E0209 03:11:12.135690       1 runtime.go:221] "Failed to watch" err="failed to list *v1.Job: jobs.batch is forbidden: User \"system:serviceaccount:openshift-security-profiles:spod\" cannot list resource \"jobs\" in API group \"batch\" at the cluster scope" logger="controller-runtime.cache.UnhandledError" reflector="k8s.io/client-go@v0.35.0/tools/cache/reflector.go:289" type="*v1.Job"
E0209 03:11:13.178055       1 runtime.go:221] "Failed to watch" err="failed to list *v1.Job: jobs.batch is forbidden: User \"system:serviceaccount:openshift-security-profiles:spod\" cannot list resource \"jobs\" in API group \"batch\" at the cluster scope" logger="controller-runtime.cache.UnhandledError" reflector="k8s.io/client-go@v0.35.0/tools/cache/reflector.go:289" type="*v1.Job"
E0209 03:11:15.537806       1 runtime.go:221] "Failed to watch" err="failed to list *v1.Job: jobs.batch is forbidden: User \"system:serviceaccount:openshift-security-profiles:spod\" cannot list resource \"jobs\" in API group \"batch\" at the cluster scope" logger="controller-runtime.cache.UnhandledError" reflector="k8s.io/client-go@v0.35.0/tools/cache/reflector.go:289" type="*v1.Job"
E0209 03:11:21.057976       1 runtime.go:221] "Failed to watch" err="failed to list *v1.Job: jobs.batch is forbidden: User \"system:serviceaccount:openshift-security-profiles:spod\" cannot list resource \"jobs\" in API group \"batch\" at the cluster scope" logger="controller-runtime.cache.UnhandledError" reflector="k8s.io/client-go@v0.35.0/tools/cache/reflector.go:289" type="*v1.Job"
E0209 03:11:31.077013       1 runtime.go:221] "Failed to watch" err="failed to list *v1.Job: jobs.batch is forbidden: User \"system:serviceaccount:openshift-security-profiles:spod\" cannot list resource \"jobs\" in API group \"batch\" at the cluster scope" logger="controller-runtime.cache.UnhandledError" reflector="k8s.io/client-go@v0.35.0/tools/cache/reflector.go:289" type="*v1.Job"
E0209 03:11:51.746732       1 runtime.go:221] "Failed to watch" err="failed to list *v1.Job: jobs.batch is forbidden: User \"system:serviceaccount:openshift-security-profiles:spod\" cannot list resource \"jobs\" in API group \"batch\" at the cluster scope" logger="controller-runtime.cache.UnhandledError" reflector="k8s.io/client-go@v0.35.0/tools/cache/reflector.go:289" type="*v1.Job"
E0209 03:12:30.671958       1 runtime.go:221] "Failed to watch" err="failed to list *v1.Job: jobs.batch is forbidden: User \"system:serviceaccount:openshift-security-profiles:spod\" cannot list resource \"jobs\" in API group \"batch\" at the cluster scope" logger="controller-runtime.cache.UnhandledError" reflector="k8s.io/client-go@v0.35.0/tools/cache/reflector.go:289" type="*v1.Job"
$ oc auth can-i list jobs --as=system:serviceaccount:openshift-security-profiles:spod -n openshift-security-profiles
no

       

       

      Version-Release number of selected component (if applicable):

       4.21.0-0.nightly-2026-02-05-184824

      How reproducible:

         Always

      Steps to Reproduce:

      1. Install SPOv0.10.0
      2. Create a selinuxprofile

      Actual results:

      The selinuxprofile will stuck at “InProgress” status because of serviceaccount

      Permission issue.

       

      Expected results:

      The selinuxprofile should reach to Installed status soon.

              wenshen@redhat.com Vincent Shen
              xiyuan@redhat.com Xiaojie Yuan
              Xiaojie Yuan Xiaojie Yuan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: