-
Bug
-
Resolution: Done
-
Blocker
-
quay-v3.4.0
-
False
-
False
-
Undefined
-
Description:
This is an issue found when use TNG Operator to deploy Quay, after create QuayRegistry CR, the DB PODs of Quay and Clair are failed to created, checked deployment, get error message as the followings:
message: 'pods "quay34-clair-postgres-854f476c47-" is forbidden: unable to validate
against any security context constraint: [provider restricted: .spec.securityContext.fsGroup:
Invalid value: []int64{0}: 0 is not an allowed group]'
lizhang@lzha-mac quay3.4 % oc get pod NAME READY STATUS RESTARTS AGE quay-operator-5576f6f74d-glrq4 1/1 Running 0 21m quay34-clair-667766666c-p7hfc 0/1 CrashLoopBackOff 5 17m quay34-clair-68796c8ddb-8vknd 0/1 CrashLoopBackOff 5 17m quay34-quay-app-upgrade-7d68788466-7g5wk 0/1 Running 3 17m quay34-quay-app-upgrade-b797d87c6-vkppk 0/1 Running 3 17m quay34-quay-config-editor-7467bbf9f4-rwfcd 0/1 CrashLoopBackOff 8 17m quay34-quay-config-editor-7b885d667f-k4cfh 0/1 CrashLoopBackOff 8 17m quay34-quay-mirror-577f8458fc-rq6xt 1/1 Running 3 17m quay34-quay-redis-d45bb4ff7-thqf2 1/1 Running 0 17m lizhang@lzha-mac quay3.4 % oc get deployment NAME READY UP-TO-DATE AVAILABLE AGE quay-operator 1/1 1 1 3h29m quay34-clair 0/1 1 0 3h25m quay34-clair-postgres 0/1 0 0 3h25m quay34-quay-app 0/0 0 0 3h25m quay34-quay-app-upgrade 0/1 1 0 3h25m quay34-quay-config-editor 0/1 1 0 3h25m quay34-quay-database 0/1 0 0 3h25m quay34-quay-mirror 1/1 1 1 3h25m quay34-quay-redis 1/1 1 1 3h25m
oc get deployment quay34-clair-postgres -o yaml apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "1" quay-managed-fieldgroups: Database,SecurityScanner,Redis,,DistributedStorage,HostSettings,RepoMirror quay-registry-hostname: "" quay-version: vader creationTimestamp: "2020-10-28T03:04:47Z" generation: 1 labels: quay-component: clair-postgres managedFields: - apiVersion: apps/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:quay-managed-fieldgroups: {} f:quay-registry-hostname: {} f:quay-version: {} f:labels: f:quay-component: {} f:ownerReferences: k:{"uid":"140a99b2-e70c-4e2a-a90d-f73cab98dff9"}: .: {} f:apiVersion: {} f:kind: {} f:name: {} f:uid: {} f:spec: f:replicas: {} f:selector: f:matchLabels: f:quay-component: {} f:template: f:metadata: f:annotations: f:quay-managed-fieldgroups: {} f:quay-registry-hostname: {} f:quay-version: {} f:creationTimestamp: {} f:labels: f:quay-component: {} f:spec: f:containers: k:{"name":"postgres"}: .: {} f:env: k:{"name":"POSTGRESQL_ADMIN_PASSWORD"}: .: {} f:name: {} f:value: {} k:{"name":"POSTGRESQL_DATABASE"}: .: {} f:name: {} f:value: {} k:{"name":"POSTGRESQL_PASSWORD"}: .: {} f:name: {} f:value: {} k:{"name":"POSTGRESQL_USER"}: .: {} f:name: {} f:value: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:ports: k:{"containerPort":5432,"protocol":"TCP"}: .: {} f:containerPort: {} f:protocol: {} f:volumeMounts: k:{"mountPath":"/var/lib/pgsql/data"}: .: {} f:mountPath: {} f:name: {} f:securityContext: f:fsGroup: {} f:volumes: k:{"name":"postgres-data"}: .: {} f:name: {} f:persistentVolumeClaim: f:claimName: {} manager: quay-operator operation: Apply time: "2020-10-28T03:04:50Z" - apiVersion: apps/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:deployment.kubernetes.io/revision: {} f:status: f:conditions: .: {} k:{"type":"Available"}: .: {} f:lastTransitionTime: {} f:lastUpdateTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Progressing"}: .: {} f:lastTransitionTime: {} f:lastUpdateTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"ReplicaFailure"}: .: {} f:lastTransitionTime: {} f:lastUpdateTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} f:observedGeneration: {} f:unavailableReplicas: {} manager: kube-controller-manager operation: Update time: "2020-10-28T03:14:48Z" name: quay34-clair-postgres namespace: quay340 ownerReferences: - apiVersion: quay.redhat.com/v1 kind: QuayRegistry name: quay34 uid: 140a99b2-e70c-4e2a-a90d-f73cab98dff9 resourceVersion: "3519312" selfLink: /apis/apps/v1/namespaces/quay340/deployments/quay34-clair-postgres uid: 3652fa82-6975-4945-9114-0e109dfffa64 spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: quay-component: clair-postgres strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% type: RollingUpdate template: metadata: annotations: quay-managed-fieldgroups: Database,SecurityScanner,Redis,,DistributedStorage,HostSettings,RepoMirror quay-registry-hostname: "" quay-version: vader creationTimestamp: null labels: quay-component: clair-postgres spec: containers: - env: - name: POSTGRESQL_USER value: postgres - name: POSTGRESQL_DATABASE value: postgres - name: POSTGRESQL_PASSWORD value: postgres - name: POSTGRESQL_ADMIN_PASSWORD value: postgres image: centos/postgresql-10-centos7 imagePullPolicy: IfNotPresent name: postgres ports: - containerPort: 5432 protocol: TCP resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/lib/pgsql/data name: postgres-data dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: fsGroup: 0 terminationGracePeriodSeconds: 30 volumes: - name: postgres-data persistentVolumeClaim: claimName: quay34-clair-postgres status: conditions: - lastTransitionTime: "2020-10-28T03:04:47Z" lastUpdateTime: "2020-10-28T03:04:47Z" message: Deployment does not have minimum availability. reason: MinimumReplicasUnavailable status: "False" type: Available - lastTransitionTime: "2020-10-28T03:04:47Z" lastUpdateTime: "2020-10-28T03:04:47Z" message: 'pods "quay34-clair-postgres-854f476c47-" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{0}: 0 is not an allowed group]' reason: FailedCreate status: "True" type: ReplicaFailure - lastTransitionTime: "2020-10-28T03:14:48Z" lastUpdateTime: "2020-10-28T03:14:48Z" message: ReplicaSet "quay34-clair-postgres-854f476c47" has timed out progressing. reason: ProgressDeadlineExceeded status: "False" type: Progressing observedGeneration: 1 unavailableReplicas: 1
OCP Version: 4.6
oc version Server Version: 4.6.0-0.nightly-2020-10-22-034051 Kubernetes Version: v1.19.0+d59ce34
Index image: brew.registry.redhat.io/rh-osbs/iib:23181
Quay Operator image:
lizhang@lzha-mac quay3.4 % oc get pod quay-operator-5576f6f74d-glrq4 -o json | jq '.spec.containers[0].image' "registry.redhat.io/quay/quay-rhel8-operator@sha256:8ffb3acb4bdbf56226bb79a430b5e25b1a80c1361502da1a7efcbb82eeb651a0"
Quay CR:
apiVersion: quay.redhat.com/v1kind: QuayRegistry metadata: name: quay34 namespace: quay340
lizhang@lzha-mac quay3.4 % oc get deployment quay34-quay-database -o yaml apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "1" quay-managed-fieldgroups: Database,SecurityScanner,Redis,,DistributedStorage,HostSettings,RepoMirror quay-registry-hostname: "" quay-version: vader creationTimestamp: "2020-10-28T03:04:47Z" generation: 1 labels: quay-component: postgres managedFields: - apiVersion: apps/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:quay-managed-fieldgroups: {} f:quay-registry-hostname: {} f:quay-version: {} f:labels: f:quay-component: {} f:ownerReferences: k:{"uid":"140a99b2-e70c-4e2a-a90d-f73cab98dff9"}: .: {} f:apiVersion: {} f:kind: {} f:name: {} f:uid: {} f:spec: f:replicas: {} f:selector: f:matchLabels: f:quay-component: {} f:template: f:metadata: f:annotations: f:quay-managed-fieldgroups: {} f:quay-registry-hostname: {} f:quay-version: {} f:creationTimestamp: {} f:labels: f:quay-component: {} f:spec: f:containers: k:{"name":"postgres"}: .: {} f:env: k:{"name":"POSTGRESQL_ADMIN_PASSWORD"}: .: {} f:name: {} f:value: {} k:{"name":"POSTGRESQL_DATABASE"}: .: {} f:name: {} f:value: {} k:{"name":"POSTGRESQL_MAX_CONNECTIONS"}: .: {} f:name: {} f:value: {} k:{"name":"POSTGRESQL_PASSWORD"}: .: {} f:name: {} f:value: {} k:{"name":"POSTGRESQL_SHARED_BUFFERS"}: .: {} f:name: {} f:value: {} k:{"name":"POSTGRESQL_USER"}: .: {} f:name: {} f:value: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:ports: k:{"containerPort":5432,"protocol":"TCP"}: .: {} f:containerPort: {} f:protocol: {} f:volumeMounts: k:{"mountPath":"/var/lib/pgsql/data"}: .: {} f:mountPath: {} f:name: {} f:securityContext: f:fsGroup: {} f:volumes: k:{"name":"postgres-data"}: .: {} f:name: {} f:persistentVolumeClaim: f:claimName: {} manager: quay-operator operation: Apply time: "2020-10-28T03:04:50Z" - apiVersion: apps/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:deployment.kubernetes.io/revision: {} f:status: f:conditions: .: {} k:{"type":"Available"}: .: {} f:lastTransitionTime: {} f:lastUpdateTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Progressing"}: .: {} f:lastTransitionTime: {} f:lastUpdateTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"ReplicaFailure"}: .: {} f:lastTransitionTime: {} f:lastUpdateTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} f:observedGeneration: {} f:unavailableReplicas: {} manager: kube-controller-manager operation: Update time: "2020-10-28T03:14:48Z" name: quay34-quay-database namespace: quay340 ownerReferences: - apiVersion: quay.redhat.com/v1 kind: QuayRegistry name: quay34 uid: 140a99b2-e70c-4e2a-a90d-f73cab98dff9 resourceVersion: "3519313" selfLink: /apis/apps/v1/namespaces/quay340/deployments/quay34-quay-database uid: 11abe2ca-6d86-4e6a-8d1e-2f8186539279 spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: quay-component: postgres strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% type: RollingUpdate template: metadata: annotations: quay-managed-fieldgroups: Database,SecurityScanner,Redis,,DistributedStorage,HostSettings,RepoMirror quay-registry-hostname: "" quay-version: vader creationTimestamp: null labels: quay-component: postgres spec: containers: - env: - name: POSTGRESQL_USER value: quay34-quay-database - name: POSTGRESQL_DATABASE value: quay34-quay-database - name: POSTGRESQL_ADMIN_PASSWORD value: postgres - name: POSTGRESQL_PASSWORD value: postgres - name: POSTGRESQL_SHARED_BUFFERS value: 256MB - name: POSTGRESQL_MAX_CONNECTIONS value: "2000" image: centos/postgresql-10-centos7 imagePullPolicy: IfNotPresent name: postgres ports: - containerPort: 5432 protocol: TCP resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/lib/pgsql/data name: postgres-data dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: fsGroup: 0 terminationGracePeriodSeconds: 30 volumes: - name: postgres-data persistentVolumeClaim: claimName: quay34-quay-database status: conditions: - lastTransitionTime: "2020-10-28T03:04:47Z" lastUpdateTime: "2020-10-28T03:04:47Z" message: Deployment does not have minimum availability. reason: MinimumReplicasUnavailable status: "False" type: Available - lastTransitionTime: "2020-10-28T03:04:47Z" lastUpdateTime: "2020-10-28T03:04:47Z" message: 'pods "quay34-quay-database-74b859f77-" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{0}: 0 is not an allowed group]' reason: FailedCreate status: "True" type: ReplicaFailure - lastTransitionTime: "2020-10-28T03:14:48Z" lastUpdateTime: "2020-10-28T03:14:48Z" message: ReplicaSet "quay34-quay-database-74b859f77" has timed out progressing. reason: ProgressDeadlineExceeded status: "False" type: Progressing observedGeneration: 1 unavailableReplicas: 1
Steps:
- Open Quay console
- Deploy Quay 3.4 TNG Operator
- Create Quay CR resource
- Check POD status deployed by TNG Operator
Expected Results:
DB PODs of Quay and Clair are created successfully.
Actual Results:
DB PODs of Quay and Clair are failed to be created.
