Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.19
Component/s: eBPF Manager
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
Rejected
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

bpfman-daemon not coming up with latest downstream build quay.io/redhat-user-workloads/ocp-bpfman-tenant/ocp-bpfman-operator-catalog-ocp4-19@sha256:92697178cbb3ae4883a72b378bc21200485d5171e0f2db5647c53a0ebbca3d06

Version-Release number of selected component (if applicable):

0.5.6

How reproducible:

Always

Steps to Reproduce:

    1. Deploy above FBC and IDMS.     
    2. Deploy operator using above FBC

Actual results:

bpfman-daemon and spod deamonset not coming up

Expected results:

bpfman-daemon and spod deamonset should come up fine

Additional info:

bpfman-daemon logs

Events:
  Type     Reason        Age                From                  Message
  ----     ------        ----               ----                  -------
  Warning  FailedCreate  10m                daemonset-controller  Error creating: pods "bpfman-daemon-kpsmk" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "mount-bpffs" must not include "CAP_BPF", "CAP_NET_ADMIN" in securityContext.capabilities.add), host namespaces (hostNetwork=true), hostPath volumes (volumes "runtime", "host-debug", "bpfman-content-store", "default-bpf-fs", "socket-dir", "mountpoint-dir", "registration-dir", "tmp-dir", "host-proc", "host-netns", "host-containerd", "host-crio", "host-dockershim", "host-dockerd", "host-crictl-config"), privileged (containers "mount-bpffs", "bpfman", "bpfman-agent" must not set securityContext.privileged=true)
  Warning  FailedCreate  10m                daemonset-controller  Error creating: pods "bpfman-daemon-xf6ql" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "mount-bpffs" must not include "CAP_BPF", "CAP_NET_ADMIN" in securityContext.capabilities.add), host namespaces (hostNetwork=true), hostPath volumes (volumes "runtime", "host-debug", "bpfman-content-store", "default-bpf-fs", "socket-dir", "mountpoint-dir", "registration-dir", "tmp-dir", "host-proc", "host-netns", "host-containerd", "host-crio", "host-dockershim", "host-dockerd", "host-crictl-config"), privileged (containers "mount-bpffs", "bpfman", "bpfman-agent" must not set securityContext.privileged=true)
  Warning  FailedCreate  10m                daemonset-controller  Error creating: pods "bpfman-daemon-mvshr" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "mount-bpffs" must not include "CAP_BPF", "CAP_NET_ADMIN" in securityContext.capabilities.add), host namespaces (hostNetwork=true), hostPath volumes (volumes "runtime", "host-debug", "bpfman-content-store", "default-bpf-fs", "socket-dir", "mountpoint-dir", "registration-dir", "tmp-dir", "host-proc", "host-netns", "host-containerd", "host-crio", "host-dockershim", "host-dockerd", "host-crictl-config"), privileged (containers "mount-bpffs", "bpfman", "bpfman-agent" must not set securityContext.privileged=true)
  Warning  FailedCreate  10m                daemonset-controller  Error creating: pods "bpfman-daemon-6t6k6" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "mount-bpffs" must not include "CAP_BPF", "CAP_NET_ADMIN" in securityContext.capabilities.add), host namespaces (hostNetwork=true), hostPath volumes (volumes "runtime", "host-debug", "bpfman-content-store", "default-bpf-fs", "socket-dir", "mountpoint-dir", "registration-dir", "tmp-dir", "host-proc", "host-netns", "host-containerd", "host-crio", "host-dockershim", "host-dockerd", "host-crictl-config"), privileged (containers "mount-bpffs", "bpfman", "bpfman-agent" must not set securityContext.privileged=true)
  Warning  FailedCreate  10m                daemonset-controller  Error creating: pods "bpfman-daemon-w6p4h" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "mount-bpffs" must not include "CAP_BPF", "CAP_NET_ADMIN" in securityContext.capabilities.add), host namespaces (hostNetwork=true), hostPath volumes (volumes "runtime", "host-debug", "bpfman-content-store", "default-bpf-fs", "socket-dir", "mountpoint-dir", "registration-dir", "tmp-dir", "host-proc", "host-netns", "host-containerd", "host-crio", "host-dockershim", "host-dockerd", "host-crictl-config"), privileged (containers "mount-bpffs", "bpfman", "bpfman-agent" must not set securityContext.privileged=true)
  Warning  FailedCreate  10m                daemonset-controller  Error creating: pods "bpfman-daemon-9w2nv" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "mount-bpffs" must not include "CAP_BPF", "CAP_NET_ADMIN" in securityContext.capabilities.add), host namespaces (hostNetwork=true), hostPath volumes (volumes "runtime", "host-debug", "bpfman-content-store", "default-bpf-fs", "socket-dir", "mountpoint-dir", "registration-dir", "tmp-dir", "host-proc", "host-netns", "host-containerd", "host-crio", "host-dockershim", "host-dockerd", "host-crictl-config"), privileged (containers "mount-bpffs", "bpfman", "bpfman-agent" must not set securityContext.privileged=true)
  Warning  FailedCreate  10m                daemonset-controller  Error creating: pods "bpfman-daemon-zpddk" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "mount-bpffs" must not include "CAP_BPF", "CAP_NET_ADMIN" in securityContext.capabilities.add), host namespaces (hostNetwork=true), hostPath volumes (volumes "runtime", "host-debug", "bpfman-content-store", "default-bpf-fs", "socket-dir", "mountpoint-dir", "registration-dir", "tmp-dir", "host-proc", "host-netns", "host-containerd", "host-crio", "host-dockershim", "host-dockerd", "host-crictl-config"), privileged (containers "mount-bpffs", "bpfman", "bpfman-agent" must not set securityContext.privileged=true)
  Warning  FailedCreate  10m                daemonset-controller  Error creating: pods "bpfman-daemon-vfws9" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "mount-bpffs" must not include "CAP_BPF", "CAP_NET_ADMIN" in securityContext.capabilities.add), host namespaces (hostNetwork=true), hostPath volumes (volumes "runtime", "host-debug", "bpfman-content-store", "default-bpf-fs", "socket-dir", "mountpoint-dir", "registration-dir", "tmp-dir", "host-proc", "host-netns", "host-containerd", "host-crio", "host-dockershim", "host-dockerd", "host-crictl-config"), privileged (containers "mount-bpffs", "bpfman", "bpfman-agent" must not set securityContext.privileged=true)
  Warning  FailedCreate  10m                daemonset-controller  Error creating: pods "bpfman-daemon-tlvtl" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "mount-bpffs" must not include "CAP_BPF", "CAP_NET_ADMIN" in securityContext.capabilities.add), host namespaces (hostNetwork=true), hostPath volumes (volumes "runtime", "host-debug", "bpfman-content-store", "default-bpf-fs", "socket-dir", "mountpoint-dir", "registration-dir", "tmp-dir", "host-proc", "host-netns", "host-containerd", "host-crio", "host-dockershim", "host-dockerd", "host-crictl-config"), privileged (containers "mount-bpffs", "bpfman", "bpfman-agent" must not set securityContext.privileged=true)
  Warning  FailedCreate  36s (x9 over 10m)  daemonset-controller  (combined from similar events): Error creating: pods "bpfman-daemon-2xwq6" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "mount-bpffs" must not include "CAP_BPF", "CAP_NET_ADMIN" in securityContext.capabilities.add), host namespaces (hostNetwork=true), hostPath volumes (volumes "runtime", "host-debug", "bpfman-content-store", "default-bpf-fs", "socket-dir", "mountpoint-dir", "registration-dir", "tmp-dir", "host-proc", "host-netns", "host-containerd", "host-crio", "host-dockershim", "host-dockerd", "host-crictl-config"), privileged (containers "mount-bpffs", "bpfman", "bpfman-agent" must not set securityContext.privileged=true)

spod daemonset

Events:
  Type     Reason        Age                 From                  Message
  ----     ------        ----                ----                  -------
  Warning  FailedCreate  27m                 daemonset-controller  Error creating: pods "spod-gdnpz" is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volumes "host-varlib-volume", "host-operator-volume", "host-fsselinux-volume", "host-etcselinux-volume", "host-varlibselinux-volume", "profile-recording-output-volume", "host-auditlog-volume", "host-syslog-volume", "sys-kernel-debug-volume", "host-etc-osrelease-volume", "host-root-volume"), seLinuxOptions (containers "non-root-enabler", "selinux-shared-policies-copier", "security-profiles-operator", "selinuxd" set forbidden securityContext.seLinuxOptions: type "spc_t")
  Warning  FailedCreate  27m                 daemonset-controller  Error creating: pods "spod-dg5dd" is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volumes "host-varlib-volume", "host-operator-volume", "host-fsselinux-volume", "host-etcselinux-volume", "host-varlibselinux-volume", "profile-recording-output-volume", "host-auditlog-volume", "host-syslog-volume", "sys-kernel-debug-volume", "host-etc-osrelease-volume", "host-root-volume"), seLinuxOptions (containers "non-root-enabler", "selinux-shared-policies-copier", "security-profiles-operator", "selinuxd" set forbidden securityContext.seLinuxOptions: type "spc_t")
  Warning  FailedCreate  27m                 daemonset-controller  Error creating: pods "spod-jqs9g" is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volumes "host-varlib-volume", "host-operator-volume", "host-fsselinux-volume", "host-etcselinux-volume", "host-varlibselinux-volume", "profile-recording-output-volume", "host-auditlog-volume", "host-syslog-volume", "sys-kernel-debug-volume", "host-etc-osrelease-volume", "host-root-volume"), seLinuxOptions (containers "non-root-enabler", "selinux-shared-policies-copier", "security-profiles-operator", "selinuxd" set forbidden securityContext.seLinuxOptions: type "spc_t")
  Warning  FailedCreate  27m                 daemonset-controller  Error creating: pods "spod-rn559" is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volumes "host-varlib-volume", "host-operator-volume", "host-fsselinux-volume", "host-etcselinux-volume", "host-varlibselinux-volume", "profile-recording-output-volume", "host-auditlog-volume", "host-syslog-volume", "sys-kernel-debug-volume", "host-etc-osrelease-volume", "host-root-volume"), seLinuxOptions (containers "non-root-enabler", "selinux-shared-policies-copier", "security-profiles-operator", "selinuxd" set forbidden securityContext.seLinuxOptions: type "spc_t")
  Warning  FailedCreate  27m                 daemonset-controller  Error creating: pods "spod-6fx24" is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volumes "host-varlib-volume", "host-operator-volume", "host-fsselinux-volume", "host-etcselinux-volume", "host-varlibselinux-volume", "profile-recording-output-volume", "host-auditlog-volume", "host-syslog-volume", "sys-kernel-debug-volume", "host-etc-osrelease-volume", "host-root-volume"), seLinuxOptions (containers "non-root-enabler", "selinux-shared-policies-copier", "security-profiles-operator", "selinuxd" set forbidden securityContext.seLinuxOptions: type "spc_t")
  Warning  FailedCreate  27m                 daemonset-controller  Error creating: pods "spod-drxxd" is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volumes "host-varlib-volume", "host-operator-volume", "host-fsselinux-volume", "host-etcselinux-volume", "host-varlibselinux-volume", "profile-recording-output-volume", "host-auditlog-volume", "host-syslog-volume", "sys-kernel-debug-volume", "host-etc-osrelease-volume", "host-root-volume"), seLinuxOptions (containers "non-root-enabler", "selinux-shared-policies-copier", "security-profiles-operator", "selinuxd" set forbidden securityContext.seLinuxOptions: type "spc_t")
  Warning  FailedCreate  27m                 daemonset-controller  Error creating: pods "spod-7bbrg" is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volumes "host-varlib-volume", "host-operator-volume", "host-fsselinux-volume", "host-etcselinux-volume", "host-varlibselinux-volume", "profile-recording-output-volume", "host-auditlog-volume", "host-syslog-volume", "sys-kernel-debug-volume", "host-etc-osrelease-volume", "host-root-volume"), seLinuxOptions (containers "non-root-enabler", "selinux-shared-policies-copier", "security-profiles-operator", "selinuxd" set forbidden securityContext.seLinuxOptions: type "spc_t")
  Warning  FailedCreate  27m                 daemonset-controller  Error creating: pods "spod-tznk7" is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volumes "host-varlib-volume", "host-operator-volume", "host-fsselinux-volume", "host-etcselinux-volume", "host-varlibselinux-volume", "profile-recording-output-volume", "host-auditlog-volume", "host-syslog-volume", "sys-kernel-debug-volume", "host-etc-osrelease-volume", "host-root-volume"), seLinuxOptions (containers "non-root-enabler", "selinux-shared-policies-copier", "security-profiles-operator", "selinuxd" set forbidden securityContext.seLinuxOptions: type "spc_t")
  Warning  FailedCreate  27m                 daemonset-controller  Error creating: pods "spod-r5skj" is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volumes "host-varlib-volume", "host-operator-volume", "host-fsselinux-volume", "host-etcselinux-volume", "host-varlibselinux-volume", "profile-recording-output-volume", "host-auditlog-volume", "host-syslog-volume", "sys-kernel-debug-volume", "host-etc-osrelease-volume", "host-root-volume"), seLinuxOptions (containers "non-root-enabler", "selinux-shared-policies-copier", "security-profiles-operator", "selinuxd" set forbidden securityContext.seLinuxOptions: type "spc_t")
  Warning  FailedCreate  14s (x12 over 27m)  daemonset-controller  (combined from similar events): Error creating: pods "spod-z5cm6" is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volumes "host-varlib-volume", "host-operator-volume", "host-fsselinux-volume", "host-etcselinux-volume", "host-varlibselinux-volume", "profile-recording-output-volume", "host-auditlog-volume", "host-syslog-volume", "sys-kernel-debug-volume", "host-etc-osrelease-volume", "host-root-volume"), seLinuxOptions (containers "non-root-enabler", "selinux-shared-policies-copier", "security-profiles-operator", "selinuxd" set forbidden securityContext.seLinuxOptions: type "spc_t")

Assignee:: Andrew McDermott

Reporter:: Amogh Rameshappa Devapura

Need Info From:: None

Contributors:: None

QA Contact:: Amogh Rameshappa Devapura

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/04/16 6:50 PM

Updated:: 2025/07/14 1:11 PM

Resolved:: 2025/06/25 1:12 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates