Undefined Description of problem:
When deploying LCA operator via OLMv1 clusterextension CR, operator pod fails to start. Events show this message
53s Warning FailedCreate replicaset/lifecycle-agent-controller-manager-5987f5f77d Error creating: pods "lifecycle-agent-controller-manager-5987f5f77d-kxld8" is forbidden: violates PodSecurity "restricted:latest": host namespaces (hostPID=true), privileged (container "manager" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "manager" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "manager" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host-root" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "manager" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Deployment via OLMv0 allows pod to start.
See additional info below
Version-Release number of selected component (if applicable):
OCP nightly 4.21.0-0.nightly-2025-11-22-193140
LCA registry.stage.redhat.io/openshift4/lifecycle-agent-operator-bundle@sha256:628e11f036968fc571cfeaec444baf562426f66a3ca3281cc5834764b341454a
How reproducible:
always
Steps to Reproduce:
1. Deploy cluster using ZTP RAN DU profile, with TechPreviewNoUpgrade feature gate enabled to enable OLMv1 feature
2. Deploy LCA operator via ClusterExtension CR
3. Observe events in target namespace (openshifty-lifecycle-agent)
Actual results:
Pod fails to start and above event is generated
Expected results:
Pod starts successfully and operators normally.
Additional info:
CR for deployment
####
apiVersion: config.openshift.io/v1
kind: Image
metadata:
name: cluster
spec:
additionalTrustedCA:
name: disconnected-edge
[kni@registry olmv1test]$ cat ownnamespace.yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: openshift-lifecycle-agent
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: lifecycle-agent-installer
namespace: openshift-lifecycle-agent
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: lifecycle-agent-installer-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: lifecycle-agent-installer
namespace: openshift-lifecycle-agent
---
apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
name: lifecycle-agent
spec:
namespace: openshift-lifecycle-agent
serviceAccount:
name: lifecycle-agent-installer
config:
configType: Inline
inline:
watchNamespace: openshift-lifecycle-agent
source:
sourceType: Catalog
catalog:
packageName: lifecycle-agent
channels:
- stable
####
OLMv1 deployment CRs are here:
https://github.com/openshift-kni/telco-reference/tree/1435ceff86df03b823c0670ab0627fb70f784508/telco-ran/configuration/source-crs/lca
- depends on
-
OCPSTRAT-2690 OLMv1: Support Pod Security Admission (PSA) needs of operators
-
- New
-
