Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-575

The lacking securityContext.seccompProfile.type of OLM deployments is blocking OCP upgrade to 4.12

XMLWordPrintable

    • Important
    • None
    • 3
    • OTA 224
    • 1
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Get the below error when upgrading to OCP 4.12 from 4.9->4.10->4.11.

      MacBook-Pro:~ jianzhang$ oc get clusterversion
      NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
      version   4.11.0-0.nightly-2022-08-24-091058   True        True          4h      Unable to apply 4.12.0-0.nightly-2022-08-24-053339: the workload openshift-operator-lifecycle-manager/package-server-manager cannot roll out
         - lastTransitionTime: "2022-08-25T04:47:36Z"
          lastUpdateTime: "2022-08-25T04:47:36Z"
          message: 'pods "package-server-manager-85b6dc4d89-sdzcc" is forbidden: violates
            PodSecurity "restricted:v1.24": seccompProfile (pod or container "package-server-manager"
            must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'
          reason: FailedCreate
          status: "True"
          type: ReplicaFailure

       

      Version-Release number of selected component (if applicable):

      MacBook-Pro:~ jianzhang$ oc exec catalog-operator-c5c655d5c-b9lcn -- olm --version
      OLM version: 0.19.0
      git commit: 8a984d41acc67c0bc9bfe807fadeef23f83abd44 

      How reproducible:

      always

      Steps to Reproduce:
      1. Install OCP 4.11.0-0.nightly-2022-08-24-091058
      2. Upgrade it to 4.12.0-0.nightly-2022-08-24-053339

      Actual results:

      The cluster upgrading is blocked. Get the above errors as described.

      Expected results:

       Upgraded to 4.12 from old OCP versions 4.5, 4.9 successfully.

      Additional info:

      MacBook-Pro:~ jianzhang$ oc get deployment package-server-manager -o yaml
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        annotations:
          deployment.kubernetes.io/revision: "5"
          include.release.openshift.io/ibm-cloud-managed: "true"
          include.release.openshift.io/self-managed-high-availability: "true"
          include.release.openshift.io/single-node-developer: "true"
        creationTimestamp: "2022-08-25T00:14:08Z"
        generation: 5
        labels:
          app: package-server-manager
        name: package-server-manager
        namespace: openshift-operator-lifecycle-manager
        ownerReferences:
        - apiVersion: config.openshift.io/v1
          kind: ClusterVersion
          name: version
          uid: 3fd29082-0e76-4b09-988e-78cb5fc7c8b5
        resourceVersion: "169028"
        uid: c8f7cbe2-4f82-40ce-9468-817ffefa903f
      spec:
        progressDeadlineSeconds: 600
        replicas: 1
        revisionHistoryLimit: 10
        selector:
          matchLabels:
            app: package-server-manager
        strategy:
          rollingUpdate:
            maxSurge: 25%
            maxUnavailable: 25%
          type: RollingUpdate
        template:
          metadata:
            annotations:
              target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
            creationTimestamp: null
            labels:
              app: package-server-manager
          spec:
            containers:
            - args:
              - --name
              - $(PACKAGESERVER_NAME)
              - --namespace
              - $(PACKAGESERVER_NAMESPACE)
              command:
              - /bin/psm
              - start
              env:
              - name: PACKAGESERVER_NAME
                value: packageserver
              - name: PACKAGESERVER_IMAGE
                value: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d49e1e27114f4b719bc8f3c222b2c5934d3b8028c79ec8e2bd288f6e9b5b3d5c
              - name: PACKAGESERVER_NAMESPACE
                valueFrom:
                  fieldRef:
                    apiVersion: v1
                    fieldPath: metadata.namespace
              - name: RELEASE_VERSION
                value: 4.12.0-0.nightly-2022-08-24-053339
              image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d49e1e27114f4b719bc8f3c222b2c5934d3b8028c79ec8e2bd288f6e9b5b3d5c
              imagePullPolicy: IfNotPresent
              livenessProbe:
                failureThreshold: 3
                httpGet:
                  path: /healthz
                  port: 8080
                  scheme: HTTP
                initialDelaySeconds: 30
                periodSeconds: 10
                successThreshold: 1
                timeoutSeconds: 1
              name: package-server-manager
              readinessProbe:
                failureThreshold: 3
                httpGet:
                  path: /healthz
                  port: 8080
                  scheme: HTTP
                initialDelaySeconds: 30
                periodSeconds: 10
                successThreshold: 1
                timeoutSeconds: 1
              resources:
                requests:
                  cpu: 10m
                  memory: 50Mi
              securityContext:
                allowPrivilegeEscalation: false
                capabilities:
                  drop:
                  - ALL
              terminationMessagePath: /dev/termination-log
              terminationMessagePolicy: FallbackToLogsOnError
            dnsPolicy: ClusterFirst
            nodeSelector:
              kubernetes.io/os: linux
              node-role.kubernetes.io/master: ""
            priorityClassName: system-cluster-critical
            restartPolicy: Always
            schedulerName: default-scheduler
            securityContext:
              runAsNonRoot: true
            serviceAccount: olm-operator-serviceaccount
            serviceAccountName: olm-operator-serviceaccount
            terminationGracePeriodSeconds: 30
            tolerations:
            - effect: NoSchedule
              key: node-role.kubernetes.io/master
              operator: Exists
            - effect: NoExecute
              key: node.kubernetes.io/unreachable
              operator: Exists
              tolerationSeconds: 120
            - effect: NoExecute
              key: node.kubernetes.io/not-ready
              operator: Exists
              tolerationSeconds: 120
      status:
        availableReplicas: 1
        conditions:
        - lastTransitionTime: "2022-08-25T03:14:20Z"
          lastUpdateTime: "2022-08-25T03:14:20Z"
          message: Deployment has minimum availability.
          reason: MinimumReplicasAvailable
          status: "True"
          type: Available
        - lastTransitionTime: "2022-08-25T04:47:36Z"
          lastUpdateTime: "2022-08-25T04:47:36Z"
          message: 'pods "package-server-manager-85b6dc4d89-sdzcc" is forbidden: violates
            PodSecurity "restricted:v1.24": seccompProfile (pod or container "package-server-manager"
            must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'
          reason: FailedCreate
          status: "True"
          type: ReplicaFailure
        - lastTransitionTime: "2022-08-25T04:57:37Z"
          lastUpdateTime: "2022-08-25T04:57:37Z"
          message: ReplicaSet "package-server-manager-85b6dc4d89" has timed out progressing.
          reason: ProgressDeadlineExceeded
          status: "False"
          type: Progressing
        observedGeneration: 5
        readyReplicas: 1
        replicas: 1
        unavailableReplicas: 1 

        1. olm-upgrade.tar
          3.94 MB
        2. must-gather.tar.gz
          23.73 MB
        3. upgrade-45.tar.gz
          42.61 MB
        4. package-server-manager.deployment.yaml
          5 kB

              trking W. Trevor King
              rhn-support-jiazha Jian Zhang
              Jian Zhang Jian Zhang
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated:
                Resolved: