Loading...

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: None
Affects Version/s: 4.12
Component/s: Security Profiles Operator
Labels:
None

Severity:
Important
Regression:
None
Story Points:
3
Sprint:
CMP Sprint 56, CMP Sprint 57, CMP Sprint 58, CMP Sprint 59, CMP Sprint 60, CMP Sprint 61, CMP Sprint 62
sprint_count:
7
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.13.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

Failed to install Security Profiles Operator to a namespace without openshift prefix

Version-Release number of selected component (if applicable):

4.12.0-0.nightly-2022-11-21-151126 + security-profiles-operator-bundle-container-0.5.0-30

How reproducible:

Aleays

Steps to Reproduce:

Install security profiles operator to security-profiles-operator namespace:

$ oc apply -f -<<EOF
apiVersion: v1
kind: Namespace
metadata:
  name: security-profiles-operator
  labels:
    openshift.io/cluster-monitoring: "true"
    pod-security.kubernetes.io/enforce: privileged
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: security-profiles-operator
  namespace: security-profiles-operator
spec:
  targetNamespaces:
  - security-profiles-operator
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: security-profiles-operator-sub
  namespace: security-profiles-operator
spec:
  channel: release-0.5
  installPlanApproval: Automatic
  name: security-profiles-operator
  source: qe-app-registry
  sourceNamespace: openshift-marketplace
EOF
namespace/security-profiles-operator created
operatorgroup.operators.coreos.com/security-profiles-operator created
subscription.operators.coreos.com/security-profiles-operator-sub created

Actual results:
The daemonset spod failed to create:

$ oc get daemonset
NAME   DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            AGE
spod   0         0         0       0            0           kubernetes.io/os=linux   14m
$ oc get event | tail
15m         Normal    SuccessfulCreate      replicaset/security-profiles-operator-webhook-75776fb4d4   Created pod: security-profiles-operator-webhook-75776fb4d4-rb7j8
15m         Normal    ScalingReplicaSet     deployment/security-profiles-operator-webhook              Scaled up replica set security-profiles-operator-webhook-75776fb4d4 to 3
15m         Normal    ScalingReplicaSet     deployment/security-profiles-operator                      Scaled up replica set security-profiles-operator-66f55d889f to 3
15m         Normal    RequirementsUnknown   clusterserviceversion/security-profiles-operator.v0.5.0    requirements not yet checked
15m         Normal    RequirementsNotMet    clusterserviceversion/security-profiles-operator.v0.5.0    one or more requirements couldn't be found
15m         Normal    AllRequirementsMet    clusterserviceversion/security-profiles-operator.v0.5.0    all requirements found, attempting install
15m         Normal    InstallSucceeded      clusterserviceversion/security-profiles-operator.v0.5.0    waiting for install components to report healthy
15m         Normal    InstallWaiting        clusterserviceversion/security-profiles-operator.v0.5.0    installing: waiting for deployment security-profiles-operator to become ready: deployment "security-profiles-operator" not available: Deployment does not have minimum availability.
15m         Normal    InstallSucceeded      clusterserviceversion/security-profiles-operator.v0.5.0    install strategy completed with no errors
4m35s       Warning   FailedCreate          daemonset/spod                                             Error creating: pods "spod-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[5]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[6]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[7]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[8]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[9]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[10]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[12]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[13]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.initContainers[0].securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1000730000, 1000739999], spec.initContainers[0].securityContext.seLinuxOptions.level: Invalid value: "": must be s0:c27,c14, spec.initContainers[0].securityContext.seLinuxOptions.type: Invalid value: "spc_t": must be , spec.initContainers[0].securityContext.capabilities.add: Invalid value: "CHOWN": capability may not be added, spec.initContainers[0].securityContext.capabilities.add: Invalid value: "FOWNER": capability may not be added, spec.initContainers[0].securityContext.capabilities.add: Invalid value: "FSETID": capability may not be added, spec.initContainers[0].securityContext.capabilities.add: Invalid value: "DAC_OVERRIDE": capability may not be added, spec.initContainers[1].securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1000730000, 1000739999], spec.initContainers[1].securityContext.seLinuxOptions.level: Invalid value: "": must be s0:c27,c14, spec.initContainers[1].securityContext.seLinuxOptions.type: Invalid value: "spc_t": must be , spec.initContainers[1].securityContext.capabilities.add: Invalid value: "CHOWN": capability may not be added, spec.initContainers[1].securityContext.capabilities.add: Invalid value: "FOWNER": capability may not be added, spec.initContainers[1].securityContext.capabilities.add: Invalid value: "FSETID": capability may not be added, spec.initContainers[1].securityContext.capabilities.add: Invalid value: "DAC_OVERRIDE": capability may not be added, spec.containers[0].securityContext.runAsUser: Invalid value: 65535: must be in the ranges: [1000730000, 1000739999], spec.containers[0].securityContext.seLinuxOptions.level: Invalid value: "": must be s0:c27,c14, spec.containers[0].securityContext.seLinuxOptions.type: Invalid value: "spc_t": must be , spec.containers[1].securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1000730000, 1000739999], spec.containers[1].securityContext.seLinuxOptions.level: Invalid value: "": must be s0:c27,c14, spec.containers[1].securityContext.seLinuxOptions.type: Invalid value: "spc_t": must be , spec.containers[1].securityContext.capabilities.add: Invalid value: "CHOWN": capability may not be added, spec.containers[1].securityContext.capabilities.add: Invalid value: "DAC_OVERRIDE": capability may not be added, spec.containers[1].securityContext.capabilities.add: Invalid value: "FOWNER": capability may not be added, spec.containers[1].securityContext.capabilities.add: Invalid value: "FSETID": capability may not be added, provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]