Loading...

XML

Word

Printable

Type: Bug
Resolution: Not a Bug
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.12
Component/s: kube-controller-manager
Labels:
- auth-team

Severity:
Critical
Regression:
None
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

SCC annotations often goes missing when in netobserv-privileged NS created by NetObserv Operator. This causes Warning and errors in below logs and slow rollout to pods in that NS.


$ oc get ns/netobserv-privileged -o yaml
apiVersion: v1
kind: Namespace
metadata:
  creationTimestamp: "2022-11-09T14:33:57Z"
  labels:
    app: netobserv-operator
    kubernetes.io/metadata.name: netobserv-privileged
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/enforce: privileged
  name: netobserv-privileged
  ownerReferences:
  - apiVersion: flows.netobserv.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: FlowCollector
    name: cluster
    uid: c532415f-a4e7-4438-b40c-aa02ef1d6b0d
  resourceVersion: "59366"
  uid: dc24b6f4-74f0-46d8-a127-ccc281e62943
spec:
  finalizers:
  - kubernetes
status:
  phase: Active


1s          Warning   FailedCreate       daemonset/netobserv-ebpf-agent   Error creating: pods "netobserv-ebpf-agent-" is forbidden: error fetching namespace "netobserv-privileged": unable to find annotation openshift.io/sa.scc.uid-range
56s         Normal    SuccessfulCreate   daemonset/netobserv-ebpf-agent   Created pod: netobserv-ebpf-agent-c477n
55s         Normal    SuccessfulDelete   daemonset/netobserv-ebpf-agent   Deleted pod: netobserv-ebpf-agent-4lsfm
23s         Normal    SuccessfulCreate   daemonset/netobserv-ebpf-agent   Created pod: netobserv-ebpf-agent-9f8jm
22s         Normal    SuccessfulDelete   daemonset/netobserv-ebpf-agent   Deleted pod: netobserv-ebpf-agent-g6766
0s          Warning   FailedCreate       daemonset/netobserv-ebpf-agent   Error creating: pods "netobserv-ebpf-agent-" is forbidden: error fetching namespace "netobserv-privileged": unable to find annotation openshift.io/sa.scc.uid-range
0s          Warning   FailedCreate       daemonset/netobserv-ebpf-agent   Error creating: pods "netobserv-ebpf-agent-" is forbidden: error fetching namespace "netobserv-privileged": unable to find annotation openshift.io/sa.scc.uid-range
0s          Warning   FailedCreate       daemonset/netobserv-ebpf-agent   Error creating: pods "netobserv-ebpf-agent-" is forbidden: error fetching namespace "netobserv-privileged": unable to find annotation openshift.io/sa.scc.uid-range
0s          Warning   FailedCreate       daemonset/netobserv-ebpf-agent   Error creating: pods "netobserv-ebpf-agent-" is forbidden: error fetching namespace "netobserv-privileged": unable to find annotation openshift.io/sa.scc.uid-range
0s          Warning   FailedCreate       daemonset/netobserv-ebpf-agent   Error creating: pods "netobserv-ebpf-agent-" is forbidden: error fetching namespace "netobserv-privileged": unable to find annotation openshift.io/sa.scc.uid-range
0s          Normal    Scheduled          pod/netobserv-ebpf-agent-qks6q   Successfully assigned netobserv-privileged/netobserv-ebpf-agent-qks6q to ip-10-0-195-234.us-east-2.compute.internal
0s          Normal    Pulled             pod/netobserv-ebpf-agent-qks6q   Container image "quay.io/netobserv/netobserv-ebpf-agent:v0.2.1" already present on machine
0s          Normal    Created            pod/netobserv-ebpf-agent-qks6q   Created container netobserv-ebpf-agent
0s          Normal    Started            pod/netobserv-ebpf-agent-qks6q   Started container netobserv-ebpf-agent
0s          Normal    Killing            pod/netobserv-ebpf-agent-sxgvz   Stopping container netobserv-ebpf-agent
1s          Normal    SuccessfulCreate   daemonset/netobserv-ebpf-agent   (combined from similar events): Created pod: netobserv-ebpf-agent-vkct4
0s          Normal    Scheduled          pod/netobserv-ebpf-agent-vkct4   Successfully assigned netobserv-privileged/netobserv-ebpf-agent-vkct4 to ip-10-0-201-78.us-east-2.compute.internal
0s          Normal    Pulled             pod/netobserv-ebpf-agent-vkct4   Container image "quay.io/netobserv/netobserv-ebpf-agent:v0.2.1" already present on machine
0s          Normal    Created            pod/netobserv-ebpf-agent-vkct4   Created container netobserv-ebpf-agent
0s          Normal    Started            pod/netobserv-ebpf-agent-vkct4   Started container netobserv-ebpf-agent

Version-Release number of selected component (if applicable):

4.12.0-0.nightly-2022-11-07-181244

How reproducible:

sporadically

Steps to Reproduce:

1. Install NetObserv community Operator
2. Create flowcollector CRD
3. update flowcollector CRD
4. Watch events with: oc get events

Actual results:

SCC annotations often times goes missing

Expected results:

SCC annotations should be added consistently.

Additional info:

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

Hide
must-gather.local.6821129706044361526.zip
2022/11/09 6:11 PM
23.27 MB
Mehul Modi
Extracting archive...
Show
must-gather.local.6821129706044361526.zip
2022/11/09 6:11 PM
23.27 MB
Mehul Modi

Assignee:: Stanislav Láznička (Inactive)

Reporter:: Mehul Modi

QA Contact:: ying zhou

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2022/11/09 6:09 PM

Updated:: 2023/01/03 8:08 AM

Resolved:: 2023/01/03 8:08 AM

Details

Description

Attachments

Attachments

Easy Agile Planning Poker

Activity

People

Dates