Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-2311

bootstrap-kube-controller-manager: kubelet fails to create a mirror with OCP 4.12 due to security policy error

XMLWordPrintable

    • Moderate
    • None
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Assisted Installer team received a report from engineer trying to install OCP 4.12 where bootstrap-kube-controller-manager pod cannot start due to issues with security policies.

This is a regression from 4.11 where the same configuration does not explode. The issue is probably related to the recent changes in 4.12 security policies.

      Version-Release number of selected component (if applicable):

      4.12

      How reproducible:

      Always

      Steps to Reproduce:

      1. Start OCP 4.12 installation using Assisted Installer via Zero Touch Provisioning flow

      Actual results:

      kubelet.go:1713] "Failed creating a mirror pod for" err="pods \"bootstrap-kube-controller-manager-cnfde10.ptp.lab.eng.bos.redhat.com\" is forbidden: violates PodSecurity \"restricted:latest\": host namespaces (hostNetwork=true), hostPort (containers \"kube-controller-manager\", \"cluster-policy-controller\" use hostPorts 10257, 10357), allowPrivilegeEscalation != false (containers \"kube-controller-manager\", \"cluster-policy-controller\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers \"kube-controller-manager\", \"cluster-policy-controller\" must set securityContext.capabilities.drop=[\"ALL\"]), restricted volume types (volumes \"secrets\", \"etc-kubernetes-cloud\", \"config\", \"ssl-certs-host\", \"logs\" use restricted volume type \"hostPath\"), runAsNonRoot != true (pod or containers \"kube-controller-manager\", \"cluster-policy-controller\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers \"kube-controller-manager\", \"cluster-policy-controller\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")" pod="kube-system/bootstrap-kube-controller-manager-cnfde10.ptp.lab.eng.bos.redhat.com"

      Expected results:

      Installation expected to be successful

      Additional info:

      1. Full journald log from the machine is attached
2. Engineer reporting the issue is ~jacding@redhat.com
3. Slack thread in apiserver (with no replies) - https://coreos.slack.com/archives/CB48XQ4KZ/p1665585376913689
4. Slack thread in assisted installer (note also irrelevant discussion there) - https://coreos.slack.com/archives/CUPJTHQ5P/p1665524436202809?thread_ts=1663261169.779619&cid=CUPJTHQ5P

       

       

       

        1. journalctl-cnfde10.log
          36.40 MB
        2. openshift-kube-controller-manager.logs
          762 kB
        3. Screenshot from 2022-11-01 18-40-07.png
          Screenshot from 2022-11-01 18-40-07.png
          216 kB

              jchaloup@redhat.com Jan Chaloupka
              mkowalsk@redhat.com Mat Kowalski
              ying zhou ying zhou
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: