-
Bug
-
Resolution: Not a Bug
-
Minor
-
None
-
4.14
-
Quality / Stability / Reliability
-
False
-
-
None
-
None
-
No
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
ephemeral Container Status remains in 'Error' condition in arm64 envs
How reproducible:
Always
Steps to Reproduce:
1. Create a arm64 cluster
2.
$ oc login -u testuser-0 -p ...
$ oc new-project test-emph
3. $ oc label ns test-emph --context admin security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged --overwrite
4. $ oc create role role-ephemeralcontainers --verb=get,list,watch,update,patch --resource=pods/ephemeralcontainers -n test-emph --context=admin
5. $ oc policy add-role-to-user role-ephemeralcontainers testuser-0 --role-namespace=test-emph --context=admin -n test-emph
6. $ oc run hello-openshift --image=quay.io/openshifttest/hello-openshift@sha256:4200f438cf2e9446f6bcff9d67ceea1f69ed07a2f83363b7fb52529f7ddd8a83
7. $ oc adm policy add-scc-to-user privileged -z default -n test-emph --context admin
8. cat sample-pod-ephemeral-container-complex.json
{
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "hello-openshift"
},
"spec": {
"serviceAccount": "default",
"ephemeralContainers": [
{
"name": "ephemeral-pod-debugger",
"image": "gcr.io/google-samples/node-hello:1.0",
"command": [
"bash",
"-ec"
],
"args": [
"echo 'Printing whoami:'\nwhoami\nsleep 360d\n"
],
"targetContainerName": "hello-openshift",
"tty": true,
"stdin": true,
"securityContext": {
"privileged": true,
"runAsUser": 0
}
}
]
}
}
$ oc replace --raw /api/v1/namespaces/test-emph/pods/hello-openshift/ephemeralcontainers -f sample-pod-ephemeral-container-complex.json
Actual results:
$ oc rsh -c ephemeral-pod-debugger hello-openshift
error: unable to upgrade connection: container not found ("ephemeral-pod-debugger")
$ oc get po -o jsonpath={.items[*].status.ephemeralContainerStatuses}
[{"containerID":"cri-o://a9493795067e279b9bb25fffaba968f1bcf238bb1dc70f52b449853400e1ca43","image":"gcr.io/google-samples/node-hello:1.0","imageID":"gcr.io/google-samples/node-hello@sha256:d238d0ab54efb76ec0f7b1da666cefa9b40be59ef34346a761b8adc2dd45459b","lastState":{},"name":"ephemeral-pod-debugger","ready":false,"restartCount":0,"state":{"terminated":{"containerID":"cri-o://a9493795067e279b9bb25fffaba968f1bcf238bb1dc70f52b449853400e1ca43","exitCode":1,"finishedAt":"2023-09-22T07:45:50Z","reason":"Error","startedAt":"2023-09-22T07:45:50Z"}}}]1:23
Expected results:
ephemeral Container in running State
Additional info:
This work fine in all other envs:
$ oc get po -o jsonpath={.items[*].status.ephemeralContainerStatuses}
[{"containerID":"cri-o://db8134df62d047bbcb497e9c685d1620bf51ee516304ffed200e9d4851976ee4","image":"gcr.io/google-samples/node-hello:1.0","imageID":"gcr.io/google-samples/node-hello@sha256:d238d0ab54efb76ec0f7b1da666cefa9b40be59ef34346a761b8adc2dd45459b","lastState":{},"name":"ephemeral-pod-debugger","ready":false,"restartCount":0,"state":{"running":{"startedAt":"2023-09-22T07:20:59Z"}}}]