Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-6418

Cluster logging operator could not create SCC logging-scc

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • NEW
    • Hide
      Before this update, a potential race condition related to the creation of the SecurityContextConstraint (SCC) caused the Cluster Logging Operator to fail in creating the logging-scc. This issue did not always reproduce and could occur during the initialization of the Collector and LogFileMetricExporter components.
      With this update, the use of a non-cached client resolves the issue by ensuring the actual state of the object is retrieved directly from the API, bypassing any cached objects. This change eliminates unpredictable behavior, allowing the Cluster Logging Operator to reliably create the logging-scc.
      Show
      Before this update, a potential race condition related to the creation of the SecurityContextConstraint (SCC) caused the Cluster Logging Operator to fail in creating the logging-scc. This issue did not always reproduce and could occur during the initialization of the Collector and LogFileMetricExporter components. With this update, the use of a non-cached client resolves the issue by ensuring the actual state of the object is retrieved directly from the API, bypassing any cached objects. This change eliminates unpredictable behavior, allowing the Cluster Logging Operator to reliably create the logging-scc.
    • Bug Fix
    • Log Collection - Sprint 263, Log Collection - Sprint 264, Log Collection - Sprint 265
    • Important

      Description of problem:

      The operator is deployed via automation process which includes creation of openshift-logging namespace, operatorgroup, subscription. The operator pod starts up fine and gets reconciled.

      After creating CLF, collector pods are not deployed and cluster-logging operator  streams below errors on loop:

      2024-11-18T11:21:51.500044647Z {"_ts":"2024-11-18T11:21:51.499998528Z","_level":"0","_component":"cluster-logging-operator","_message":"reconcile.SecurityContextConstraints","_error":{"msg":"failed to get /logging-scc SecurityContextConstraints: failed to get restmapping: no matches for kind \"SecurityContextConstraints\" in group \"security.openshift.io\""}}
2024-11-18T11:21:51.500044647Z {"_ts":"2024-11-18T11:21:51.500032891Z","_level":"0","_component":"cluster-logging-operator_controller.observability","_message":"reconcile error","_error":{"msg":"failed to get /logging-scc SecurityContextConstraints: failed to get restmapping: no matches for kind \"SecurityContextConstraints\" in group \"security.openshift.io\""}}
2024-11-18T11:21:51.506128772Z {"_ts":"2024-11-18T11:21:51.506070113Z","_level":"0","_component":"cluster-logging-operator","_message":"Reconciler error","ClusterLogForwarder":{"name":"instance","namespace":"openshift-logging"},"_error":{"msg":"failed to get /logging-scc SecurityContextConstraints: failed to get restmapping: no matches for kind \"SecurityContextConstraints\" in group \"security.openshift.io\""},"controller":"clusterlogforwarder","controllerGroup":"observability.openshift.io","controllerKind":"ClusterLogForwarder","name":"instance","namespace":"openshift-logging","reconcileID":"acc50de9-c7d4-4b03-a497-6948152a5853"}
2024-11-18T11:21:51.511723237Z {"_ts":"2024-11-18T11:21:51.511689402Z","_level":"0","_component":"cluster-logging-operator","_message":"reconcile.SecurityContextConstraints","_error":{"msg":"failed to get /logging-scc SecurityContextConstraints: failed to get restmapping: no matches for kind \"SecurityContextConstraints\" in group \"security.openshift.io\""}}

      The SCC logging-scc is not created, but restarting the clo pod helps in workaround of the problem.

      Version-Release number of selected component (if applicable):

      Red Hat OpenShift Logging 6.1

      Red Hat OpenShift Container Platform 4.16.15

      How reproducible:

      It is intermittent and is not reproducible 100%.

      Steps to Reproduce:

      1.  NA
      2.  
      3. ...

      Actual results:

      After creating ClusterLogForwarder, collector pods are not not deployed and cluster-logging-operator pod streams below errors:

      2024-11-18T11:29:05.093714682Z {"_ts":"2024-11-18T11:29:05.093704479Z","_level":"0","_component":"cluster-logging-operator_controller.observability","_message":"reconcile error","_error":{"msg":"failed to get /logging-scc SecurityContextConstraints: failed to get restmapping: no matches for kind \"SecurityContextConstraints\" in group \"security.openshift.io\""}}
2024-11-18T11:29:05.099206192Z {"_ts":"2024-11-18T11:29:05.099174475Z","_level":"0","_component":"cluster-logging-operator","_message":"Reconciler error","ClusterLogForwarder":{"name":"instance","namespace":"openshift-logging"},"_error":{"msg":"failed to get /logging-scc SecurityContextConstraints: failed to get restmapping: no matches for kind \"SecurityContextConstraints\" in group \"security.openshift.io\""},"controller":"clusterlogforwarder","controllerGroup":"observability.openshift.io","controllerKind":"ClusterLogForwarder","name":"instance","namespace":"openshift-logging","reconcileID":"b453b18d-a2b3-4f64-9372-6e61daf48b2e"

      Expected results:

      The creation of SCC should happen automatically by the operator and it should keep watching if the SCC exists or not. If it doesn't exist then the operator should trigger creation of logging-scc SCC resource.

      Additional info:

      Restarting the CLO pod fixes the creation of SCC logging-scc.

      Adding important note from below:   This is reproducible on two customer clusters so far and both are SNO

              vparfono Vitalii Parfonov
              rhn-support-dgautam Dhruv Gautam
              Anping Li Anping Li
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: