-
Bug
-
Resolution: Done
-
Blocker
-
Logging 5.5.3
-
False
-
None
-
False
-
NEW
-
ASSIGNED
-
Before this change the log collector SCC could be superseded by other SCCs on the cluster rendering the collector unusable. This change sets a priority to the SCC so that it takes precedence before others
-
Log Collection - Sprint 227, Log Collection - Sprint 228, Log Collection - Sprint 229, Log Collection - Sprint 230
Description of problem:
Customer installed the cluster-logging.5.5.3 operator and it failed to deploy with the following error:
Warning FailedCreate 9m26s (x12 over 9m37s) daemonset-controller Error creating: pods "collector-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[3]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[4]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[5]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[6]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[7]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[8]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[14]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.containers[0].securityContext.seLinuxOptions.level: Invalid value: "": must be s0:c35,c20, spec.containers[0].securityContext.seLinuxOptions.type: Invalid value: "spc_t": must be , spec.containers[1].securityContext.seLinuxOptions.level: Invalid value: "": must be s0:c35,c20, spec.containers[1].securityContext.seLinuxOptions.type: Invalid value: "spc_t": must be , provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "pcap-dedicated-admins": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, spec.volumes[16]: Invalid value: "projected": projected volumes are not allowed to be used, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "twistlock-scc": Forbidden: not usable by user or serviceaccount, provider "splunkforwarder": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
Version-Release number of selected component (if applicable):
ROSA 4.11.5
cluster-logging.5.5.3
Steps to Reproduce:
- Install a ROSA cluster
- Install the cluster logging addon
Actual results:
Expect to see the collector pods failing due to a SCC error
Expected results:
The collector pods should schedule successfully
Additional info:
It has been found that:
- Attempting to manually add the log-collector-scc to the logcollector service account did not fix the problem
- Applying the privileged security context constraint to the logcollector service account mitigates the problem and allows the collector to deploy.
- clones
-
-
- Closed
-
- links to
- mentioned on
(1 links to, 6 mentioned on)