-
Bug
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
None
-
False
-
-
False
-
NEW
-
NEW
-
-
-
MON Sprint 237
observability-operator v0.0.21 seems to be unable to start its obo-prometheus-operator-admission-webhook on a lot of OSD/ROSA 4.10 (or lower) clusters right now due to what looks to be a seccomp error.
33m Warning FailedCreate replicaset/obo-prometheus-operator-admission-webhook-bd4c5b58f Error creating: pods "obo-prometheus-operator-admission-webhook-bd4c5b58f-m8ntn" is forbidden: unable to validate a gainst any security context constraint: [pod.metadata.annotations.seccomp.security.alpha.kubernetes.io/pod: Forbidden: seccomp may not be set pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/prometheus-operator-admission-webhook: Forbidden: seccomp may not be set provider "anyuid": Forbidden: not usable by user or serviceaccount pod.metadata.annotations.seccomp.security.alpha.kubernetes.io/pod: Forbidden: seccomp may not be set spe c.containers[0].securityContext.runAsUser: Invalid value: 65534: must be in the ranges: [1000800000, 1000809999] pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/prometheus-operator-admission-webhook: Forbi dden: seccomp may not be set provider "pcap-dedicated-admins": Forbidden: not usable by user or serviceaccount provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount provider "machine-api-termination-handler ": Forbidden: not usable by user or serviceaccount provider "hostnetwork": Forbidden: not usable by user or serviceaccount provider "hostaccess": Forbidden: not usable by user or serviceaccount provider "splunkforwarder": Forbidd en: not usable by user or serviceaccount provider "node-exporter": Forbidden: not usable by user or serviceaccount provider "privileged": Forbidden: not usable by user or serviceaccount]
This causes a critical and persistent PodDisruptionBudgetLimit alert to fire after cluster installation.
OSD/ROSA Production is currently running v0.0.20 and does not appear to be impacted as best I can tell.
Staging clusters currently impacted can be reviewed as follows:
https://promlens.devshift.net/?l=RUY-piyfmRr
