Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-3453

scc annotations are missed in some cases

XMLWordPrintable

    • Critical
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      SCC annotations often goes missing when in netobserv-privileged NS created by NetObserv Operator. This causes Warning and errors in below logs and slow rollout to pods in that NS.


$ oc get ns/netobserv-privileged -o yaml
apiVersion: v1
kind: Namespace
metadata:
  creationTimestamp: "2022-11-09T14:33:57Z"
  labels:
    app: netobserv-operator
    kubernetes.io/metadata.name: netobserv-privileged
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/enforce: privileged
  name: netobserv-privileged
  ownerReferences:
  - apiVersion: flows.netobserv.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: FlowCollector
    name: cluster
    uid: c532415f-a4e7-4438-b40c-aa02ef1d6b0d
  resourceVersion: "59366"
  uid: dc24b6f4-74f0-46d8-a127-ccc281e62943
spec:
  finalizers:
  - kubernetes
status:
  phase: Active


1s          Warning   FailedCreate       daemonset/netobserv-ebpf-agent   Error creating: pods "netobserv-ebpf-agent-" is forbidden: error fetching namespace "netobserv-privileged": unable to find annotation openshift.io/sa.scc.uid-range
56s         Normal    SuccessfulCreate   daemonset/netobserv-ebpf-agent   Created pod: netobserv-ebpf-agent-c477n
55s         Normal    SuccessfulDelete   daemonset/netobserv-ebpf-agent   Deleted pod: netobserv-ebpf-agent-4lsfm
23s         Normal    SuccessfulCreate   daemonset/netobserv-ebpf-agent   Created pod: netobserv-ebpf-agent-9f8jm
22s         Normal    SuccessfulDelete   daemonset/netobserv-ebpf-agent   Deleted pod: netobserv-ebpf-agent-g6766
0s          Warning   FailedCreate       daemonset/netobserv-ebpf-agent   Error creating: pods "netobserv-ebpf-agent-" is forbidden: error fetching namespace "netobserv-privileged": unable to find annotation openshift.io/sa.scc.uid-range
0s          Warning   FailedCreate       daemonset/netobserv-ebpf-agent   Error creating: pods "netobserv-ebpf-agent-" is forbidden: error fetching namespace "netobserv-privileged": unable to find annotation openshift.io/sa.scc.uid-range
0s          Warning   FailedCreate       daemonset/netobserv-ebpf-agent   Error creating: pods "netobserv-ebpf-agent-" is forbidden: error fetching namespace "netobserv-privileged": unable to find annotation openshift.io/sa.scc.uid-range
0s          Warning   FailedCreate       daemonset/netobserv-ebpf-agent   Error creating: pods "netobserv-ebpf-agent-" is forbidden: error fetching namespace "netobserv-privileged": unable to find annotation openshift.io/sa.scc.uid-range
0s          Warning   FailedCreate       daemonset/netobserv-ebpf-agent   Error creating: pods "netobserv-ebpf-agent-" is forbidden: error fetching namespace "netobserv-privileged": unable to find annotation openshift.io/sa.scc.uid-range
0s          Normal    Scheduled          pod/netobserv-ebpf-agent-qks6q   Successfully assigned netobserv-privileged/netobserv-ebpf-agent-qks6q to ip-10-0-195-234.us-east-2.compute.internal
0s          Normal    Pulled             pod/netobserv-ebpf-agent-qks6q   Container image "quay.io/netobserv/netobserv-ebpf-agent:v0.2.1" already present on machine
0s          Normal    Created            pod/netobserv-ebpf-agent-qks6q   Created container netobserv-ebpf-agent
0s          Normal    Started            pod/netobserv-ebpf-agent-qks6q   Started container netobserv-ebpf-agent
0s          Normal    Killing            pod/netobserv-ebpf-agent-sxgvz   Stopping container netobserv-ebpf-agent
1s          Normal    SuccessfulCreate   daemonset/netobserv-ebpf-agent   (combined from similar events): Created pod: netobserv-ebpf-agent-vkct4
0s          Normal    Scheduled          pod/netobserv-ebpf-agent-vkct4   Successfully assigned netobserv-privileged/netobserv-ebpf-agent-vkct4 to ip-10-0-201-78.us-east-2.compute.internal
0s          Normal    Pulled             pod/netobserv-ebpf-agent-vkct4   Container image "quay.io/netobserv/netobserv-ebpf-agent:v0.2.1" already present on machine
0s          Normal    Created            pod/netobserv-ebpf-agent-vkct4   Created container netobserv-ebpf-agent
0s          Normal    Started            pod/netobserv-ebpf-agent-vkct4   Started container netobserv-ebpf-agent

      Version-Release number of selected component (if applicable):

      4.12.0-0.nightly-2022-11-07-181244

      How reproducible:

      sporadically

      Steps to Reproduce:

      1. Install NetObserv community Operator
2. Create flowcollector CRD
3. update flowcollector CRD
4. Watch events with: oc get events

      Actual results:

      SCC annotations often times goes missing

      Expected results:

      SCC annotations should be added consistently.

      Additional info:

       

        1. must-gather.local.6821129706044361526.zip
          23.27 MB

            slaznick@redhat.com Stanislav Laznicka
            rhn-support-memodi Mehul Modi
            ying zhou ying zhou
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: