Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-2477

Installation of CSO is pending

    XMLWordPrintable

Details

    • False
    • False
    • Quay Enterprise
    • 0

    Description

      Description of problem:

      when install CSO via OLM, the installation is not completed, operator stuck in pending status, CRD imagemanifestvulns.secscan.quay.redhat.com is not created

      Version-Release number of selected component (if applicable):

      quay-container-security-operator-bundle-container-v3.6.0-16

      • Index image v4.5: registry-proxy.engineering.redhat.com/rh-osbs/iib:104362
      • Index image v4.6: registry-proxy.engineering.redhat.com/rh-osbs/iib:104366
      • Index image v4.7: registry-proxy.engineering.redhat.com/rh-osbs/iib:104372
      • Index image v4.8: registry-proxy.engineering.redhat.com/rh-osbs/iib:104375
      • Index image v4.9: registry-proxy.engineering.redhat.com/rh-osbs/iib:104380

      quay-container-security-operator-container-v3.6.0-22

      • registry-proxy.engineering.redhat.com/rh-osbs/quay-quay-container-security-operator-rhel8@sha256:ecb9630cff475c1669ee845a898ac5cbb46e0301b9b421734eb3e971ef339b63

       

      How reproducible:

       Always

      Steps to Reproduce:
      1. Create catalogsource
      2. Open openshift webconsole, install operator by operatorhub
      3. Check operator status

      Actual results:

      operator stuck in pending status, CRD imagemanifestvulns.secscan.quay.redhat.com is not created

       

      Expected results:

      operator installs successfully

      Additional info:

      $ oc describe csv container-security-operator.v3.6.0
      Name:         container-security-operator.v3.6.0
      Namespace:    default
      Labels:       olm.api.ffe32d10d41a32e9=provided
                    olm.copiedFrom=openshift-operators
      Annotations:  alm-examples:
                      [
                        {
                          "apiVersion": "secscan.quay.redhat.com/v1alpha1",
                          "kind": "ImageManifestVuln",
                          "metadata": {
                            "selfLink": "/apis/secscan.quay.redhat.com/v1alpha1/namespaces/openshift-cluster-version/imagemanifestvulns/sha256.a7b23f38d1e5be975...
                            "resourceVersion": "14565395",
                            "name": "sha256.a7b23f38d1e5be975a6b516739689673011bdfa59a7158dc6ca36cefae169c18",
                            "uid": "3f16a188-e69a-406c-aa06-df340195409c",
                            "creationTimestamp": "2021-03-17T12:07:16Z",
                            "generation": 2,
                            "managedFields": [
                              {
                                "apiVersion": "secscan.quay.redhat.com/v1alpha1",
                                "fieldsType": "FieldsV1",
                                "fieldsV1": {
                                  "f:metadata": {
                                    "f:labels": {
                                      ".": {},
                                      "f:openshift-cluster-version/cluster-version-operator-b98ccdb7d-t5sq6": {}
                                    }
                                  },
                                  "f:spec": {
                                    ".": {},
                                    "f:features": {},
                                    "f:image": {},
                                    "f:manifest": {}
                                  },
                                  "f:status": {
                                    ".": {},
                                    "f:affectedPods": {
                                      ".": {},
                                      "f:openshift-cluster-version/cluster-version-operator-b98ccdb7d-t5sq6": {}
                                    },
                                    "f:fixableCount": {},
                                    "f:highCount": {},
                                    "f:highestSeverity": {},
                                    "f:lastUpdate": {},
                                    "f:lowCount": {},
                                    "f:mediumCount": {}
                                  }
                                },
                                "manager": "security-labeller",
                                "operation": "Update",
                                "time": "2021-03-17T13:07:20Z"
                              }
                            ],
                            "namespace": "openshift-cluster-version",
                            "labels": {
                              "openshift-cluster-version/cluster-version-operator-b98ccdb7d-t5sq6": "true"
                            }
                          }
                        }
                      ]
                    capabilities: Full Lifecycle
                    categories: OpenShift Optional, Security
                    containerImage:
                      registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:ecb9630cff475c1669ee845a898ac5cbb46e0301b9b421734eb3e971ef339b63
                    createdAt: 2021-08-25 17:08 UTC
                    description: Identify image vulnerabilities in Kubernetes pods
                    olm.operatorGroup: global-operators
                    olm.operatorNamespace: openshift-operators
                    olm.skipRange: >=3.5.x <3.6.0
                    operatorframework.io/properties:
                      {"properties":[{"type":"olm.gvk","value":{"group":"secscan.quay.redhat.com","kind":"ImageManifestVuln","version":"v1alpha1"}},{"type":"olm...
                    repository: https://github.com/quay/container-security-operator
                    tectonic-visibility: ocs
      API Version:  operators.coreos.com/v1alpha1
      Kind:         ClusterServiceVersion
      Metadata:
        Creation Timestamp:  2021-09-01T09:40:50Z
        Generation:          1
        Managed Fields:
          API Version:  operators.coreos.com/v1alpha1
          Fields Type:  FieldsV1
          fieldsV1:
            f:metadata:
              f:annotations:
                .:
                f:alm-examples:
                f:capabilities:
                f:categories:
                f:containerImage:
                f:createdAt:
                f:description:
                f:olm.operatorGroup:
                f:olm.operatorNamespace:
                f:olm.skipRange:
                f:olm.targetNamespaces:
                f:operatorframework.io/properties:
                f:repository:
                f:tectonic-visibility:
              f:labels:
                .:
                f:olm.api.ffe32d10d41a32e9:
                f:olm.copiedFrom:
            f:spec:
              .:
              f:apiservicedefinitions:
              f:cleanup:
                .:
                f:enabled:
              f:customresourcedefinitions:
                .:
                f:owned:
              f:description:
              f:displayName:
              f:icon:
              f:install:
                .:
                f:spec:
                  .:
                  f:deployments:
                  f:permissions:
                f:strategy:
              f:installModes:
              f:keywords:
              f:labels:
                .:
                f:alm-owner-container-security-operator:
                f:operated-by:
              f:links:
              f:maintainers:
              f:maturity:
              f:provider:
                .:
                f:name:
              f:relatedImages:
              f:selector:
                .:
                f:matchLabels:
                  .:
                  f:alm-owner-container-security-operator:
                  f:operated-by:
              f:version:
            f:status:
              .:
              f:cleanup:
              f:conditions:
              f:lastTransitionTime:
              f:lastUpdateTime:
              f:message:
              f:phase:
              f:reason:
              f:requirementStatus:
          Manager:         olm
          Operation:       Update
          Time:            2021-09-01T09:40:53Z
        Resource Version:  643457
        UID:               34b7544d-7e77-4aad-bc50-ec6d627c5810
      Spec:
        Apiservicedefinitions:
        Cleanup:
          Enabled:  false
        Customresourcedefinitions:
          Owned:
            Description:   Represents a set of vulnerabilities in an image manifest.
            Display Name:  Image Manifest Vulnerability
            Kind:          ImageManifestVuln
            Name:          imagemanifestvulns.secscan.quay.redhat.com
            Version:       v1alpha1
        Description:       The Quay Container Security Operator (CSO) brings Quay and Clair metadata to Kubernetes / OpenShift. Starting with vulnerability information the scope will get expanded over time. If it runs on OpenShift, the corresponding vulnerability information is shown inside the OCP Console. The Quay Container Security Operator enables cluster administrators to monitor known container image vulnerabilities in pods running on their Kubernetes cluster. The controller sets up a watch on pods in the specified namespace(s) and queries the container registry for vulnerability information. If the container registry supports image scanning, such as [Quay](https://github.com/quay/quay) with [Clair](https://github.com/quay/clair), then the Operator will expose any vulnerabilities found via the Kubernetes API in an `ImageManifestVuln` object.  This Operator requires no additional configuration after deployment, and will begin watching pods and populating `ImageManifestVulns` immediately once installed.
        Display Name:      Quay Container Security
        Icon:
          base64data:  iVBORw0KGgoAAAANSUhEUgAAAGQAAABkCAYAAABw4pVUAAAACXBIWXMAAAsSAAALEgHS3X78AAANmElEQVR4nO2dfWxWVx3Hv/d5aWkpbYE5ZNA+DSB03WAlQx1IhIQxTJyhSzY1SrI5tsQ/TISoMcaYsfiHLnGuJv6xhDFYYkx8iStRk7mOMBKkqEzKNmrBsfVpgYmOrm/07Xm55vf0nHJ7z733Oefcc9tC+0mawj2X9nmeL9/fOef3O+dcy7ZtzGY6U9Z2AI0A6tj3agD3Sb7kcwD6ALQD6KLv9Wn7TeGuWcSsEqQzZdGHvd3xJfvBq0JCvcm/6tN2X3TvSo0ZF4SJ0MS+dgs3TA9HAbTQ10yLM2OCsFD0BIDHhcaZ5RUAR2YqtE27IJ0pi0TYF2E4MgWFteb6tH1kOn/ptAnChDgAICU0zm7S9LqnS5jIBWGhiYTYJjTeWpxgwkQayiIThHXWzbOwjwgL9TH7our8IxGkM2XRiIksXiU03h7004CkPm23mH43RgVhrqDw9G2h8fbkFyyMGXOLMUE6U1YdG8vP9tGTaWg01lSftrtM/NyYcEUD1nG3z0ExwN5zO/sMQhNaEDacPX4b9xcy0Hs/zj6LUIQShL2Aw0LD3OVwWFG0BZkXw5fD/6yxfurXWAytTn1eDH8Gc8CoDSyI4dCne+ynfG/0Qdkh82L4w8UgRvPY+48a6yXfm31QcggbSRwXGuaZIoaTshj2b+qxm4UGH6QFYfOMdhOjqXhlNVaf6kJskfyPGhkZQfuLL2Bx8w+FtiCWP38EVY+qZW/+/qejqPje1xEbviG0eeEnBmEBdlkMn7+/xz4pNHogFbLYDLzF1NC2YleTkhiF19B2EoN165AvXyi0+UHCL9rV5NPqTW9vL3oTpRhu3OLZ7iZIDMIGrDEbr79VY0lluWX7kAMmJ3137D8gXAuC3HFtPId82UIM7Hgk4M6pLN67T0t4ou/hPUKbm2JicHI2yrI2pPJeRQVhiUJjuamqx55AcoVaSaT7X+cn/zywo0nKJeSOJXv3CdeDIOEH4iWFO7JL78TQlp2+d8uKwRm30XimxvqJ0OAiUBAWqowWZlTdkclk0H31w8m/y7okjDs4fi5RFYMzmsf3i4WuQEFYPcNYSoTiuao73n/nHHKJ5JRr5JJi6LiDwqITcslw4+Yp13TFAOtPsjaOCQ0OfAVhQ1yjxaXFT6p9SG53cMglQeGEwmJYd3CcbgwjBmfcxuozNZbvB+ErCOvIjVH+wHaUP6BWxe3peFdwB8cvnEAzLLrdwRldux6jazcYEWPy99l4RrjI8BSEzcaN1sBVPySiq7tbuMbx63R1Bg0UFoO4/vAeY2IQWRvVfrN4T0FmgzsuX3oP48lS4boTL5eEHTR4kVm3Hrl1Gzxa9BnPe3cHgiDMHUaX6tD/WlUudpwv+i/cna6pQYMX2a2iG8OQBxJeLhEEYYvYjJFcWaecupBxB8fZ6ZoaNHiR3fIg7DuWebTok7HxNfc/niIIG1kZLcPq9B3dnR3CNT94p6sTFq91p6XcwRnfLYbIMNAM3j3icjskdAnSiY47BgYGJmfLsvR9aY+W8DJh0UkULsnZ+Jbz75OCsFm50XmHzoeUaW1BbEQuy8ohl6i6Iz/Yj9JzfxOuF8O0S2he4py9Ox2ilhYtgk6mlej7+TOoPKa2/qwyNy5cK0bvoWZU/eHlIneJ5DZuhq2QcZYhD/yI3xaZIDq5pP7fv4LM5S5UHntVySX1m7cK14Igd3x8qBmJ69dQ0fZGwJ0idtlCZHbKZ5xlyNn4Ir+tIAgLV8Y2y+hkWon+303kMakwVN7eJrR7Qe5YsmSJR4s/g39pQW5gYrFh7GSr731+ZHc2GXVJxsYnedjiDjGyyIuj447h0ycwfPrmwvLqP/5KuMcLVXcQH70w0bdROiTX+TbiF94R7gkiCpfYwDcRlSA6E0H+IXFkwkl5ZkzZHTwsOnNTyaNy4jvJfs7sRDFn4wuIQhCdXJLbHZxiLlnVcI9wrRgkvDtRGL+g4ZKldxoVJQesg0OQGSvPEh+/7L0og1xSfs67LynJjGHl6jXC9SCGXj+K3nSXZ6Iw2fqqcK0YJofANEmk7zFTi4Sh6Y7MlXShk/Wj8g3vtrUa7rh8sNlTDCJ+tg3W9f8K14Mw7RKatcfYZnwj6LjD3Xe4WXDxbSy4ODWc6Lhj8PQJ/O+UGBan/FyNvsSkS2wb22LshITQUC5Jxx18qBuEuy+pq60NuNubD34WLDyR+GurlktMpebzQJ0xh0ThDo7TJfFsBjUN9wr3BNHfdgL9bcHu4Oi4JGPIJVyQaqFFEZ1MK82WhwL6DjcVbRMTuNq7liOZlM/QEtd+K79wJn72FCzFXFrOUAHLBkpjJkZYOu6gXBKfLctQcaoVZYN9WLVe7eWOXU4rCWIN30CiVX0vpwmX0EjLq0ClxIKGRi13UC5JlU0N65TdkX5e/T8LDYF1XJKvXSVcVyW0IIs1claq7gALiwvv2ShcD0LVHRxtlxhIp4QSRKcARei4Qycs6riDozNRNFHACiWIzodEuSQdd6iGxexgP66/pr+vv+CSU8G5NC/CzkuMbIuexxyhBJGdRzihEEf1EhUo8UgJSBUSi6qw7Cv6SwSo3kEhSBWdeYyTUIJQGptCkCo6AwEd8Vc8pb+iSaeDphBnfXRNuK5C6JCl80FRNVHHJTfOnxWuB1G6MoVlX1Z3ScEdO9Ur2mHdAROCkEtUwwlVE3VccqbjQmFxmwqp72isfNn5SKEqqALVU8K6A0yQ4JXGEkyHS2hh9cii6qILo92oukTXHTpVRzdxCyMxdq5tKHQ6XXJJhcIyoaHNE3WH9NUPlV2iIkhu4xYtd1DVMSwWMBZjW51Do+MS2XkMLRWlxXBEPpFEuuNd4Z4gqjZvQ9VmuTqczjzChDswEa66YuzE59CQS6i+ofRGVqSkFkRcd207SHepv2SZvoSqf1TfUIHqJybcAYcgRhyCiFzSu2ZDYX+Gk0xpGbovvSfcG4SMS3TcYWJkxbEsnIiZPGWTqn8mXUKrQ2486N3P/FtxoTSx4mn/kZ2uO6jKaAo6goMPe0OPtDh6s3dREBJjZOmywlpaLzLJUmWXLN21GwtqvCvWOosVTLqDRlhwzENm1CWUOKQEIoevmyoWQt7XcEmtR19C1b6cKywWw7Q74sAFRCEIHGt0VeB9CReD0tjFckmjydLC2SQqLHvsccElOtU+k2JgwiGvISpBqN5BVUEVCun1z2yfXDcl28F2+OwvD8LpEi13jNzQqpcEYQEvggvCzp09GnC/ElTv6NUoQi1mEziaLfv1HW6G4iVaLkmwLIHOZk6qJlqSRzfJkLTwn/t77EKcd+ayjJ7SrOMSHk5Uc0k6LqERl0xYdBOFO+IW/sz/HJkg5BKdvmTFd59VziUNKe5JJO56eh+yjz4pXC9GYTGdQXdgQoQfO/48AQtb6sWNAHTCVsVDTVq5JFoMpwIVsOzGzyq/vqTG4ocgSixc4uEKHul3o0cx6RSwKisrUaG4Z5BySToLGj6luGDbRAHKTdzCL52XpgjCZu3GJonQnCjW1jcI1/zgmVZaKqrqkuW1KcSy8pljkxNBsMmg+4BMrwKVepwJQMcltavXIJkZE6574exgr7yk9tJp0R0tTZUhCnckLfzafU0QhD3aR22qXQSdzl0mnBQyrWdvbuihZT+0OE6F1evvk3JJQmNzaBAxIOt10LIgCMPoaUCUmh9ULGDJuMQrhKj2JTIuMVWAclIS8x5AeQrCXKL2CQZA6RCZ/RluUgH7QPxySbR0VMclQZgqQHESFvq83AE/QRhGXMJzUzqdbqrhXt9w4uUOjo5LPlESF64jInckLTwrXGT4CsJGXJ62ksW929VUp0uzZS93cMglWcUsQYPPfnfTs3KadwQdPe4rCGMfewCWMl5nFJrqdGVWpl896PuePSkrKxNc4h40hIWOHU9Y2BH0YwIFYbN3sXpUBC8xOGE7Xdlc0pWDzaFdEhQWdVgQw3POWbkXgYJgQpQW9jQyKYLEgGanm7r75hBYNtOaHejTcgnPEvgNGnQpsdC+qcf+QbF/rnL2e9EZvOxRqqou4eFENdMaxiWmy7MJS+60JSlBWOhqCupPVM61pb5E54Mq/eCCUqaVXKK6R4TOTqnKjhU2f5qA+o1SCw8VC1UcIw90MXnI8O1GWQxf3dRj/0b2bSkttmZD4W84r82L4Q89h0pFDOisfmez+IIo82L4M20PBQMTZTiP5+bF8EZXDIR9Fi6dzExPIxMa5jBhxEDYDTv0i+kFCA1zlLBiwMQOKnoB9Gg4q3BUx9yEPYltf1gxYPLx3W/VWFvpaWT8ZLS5Ak362DxDfS2SB8b2qdMLKrVwN6UIhMbbFHqv9J5NiQGTDnFCTyOjB2DZBTffflCIokShTG5KlUgEwUQIS9EDsOhsc6HxFobqGZRCl02FqBKZIBw62JGeuUSP+REabyGo7EqVvqDikgkiF4RDcxZ6zA89WUZonMXQ6hBakGBiBCXDtAnCIWHoyTKzfTRGoydaNzVdQnCmXRAOhTJ6mMls62Ooj6DlnVGHJj9mTBAOdf70/Ax6ZAM9JUC4YRqg/Rm0JYBWoUfVWcsy44I4IXHoKQF0MD2dhR5VWKNwRHv6aBsZ7VyaaRGczCpBvKDQRic+05m29EVHqcoKRR88O66CNuR30T7wmQpFUgD4Px6QRGRh7pGzAAAAAElFTkSuQmCC
          Mediatype:   image/png
        Install:
          Spec:
            Deployments:
              Name:  container-security-operator
              Spec:
                Replicas:  1
                Selector:
                  Match Labels:
                    Name:  container-security-operator-alm-owned
                Strategy:
                Template:
                  Metadata:
                    Creation Timestamp:  <nil>
                    Labels:
                      Name:  container-security-operator-alm-owned
                    Name:    container-security-operator-alm-owned
                  Spec:
                    Containers:
                      Command:
                        /bin/security-labeller
                        --namespaces=$(WATCH_NAMESPACE)
                        --extraCerts=/extra-certs
                      Env:
                        Name:  MY_POD_NAMESPACE
                        Value From:
                          Field Ref:
                            Field Path:  metadata.namespace
                        Name:            MY_POD_NAME
                        Value From:
                          Field Ref:
                            Field Path:  metadata.name
                        Name:            WATCH_NAMESPACE
                        Value From:
                          Field Ref:
                            Field Path:  metadata.annotations['olm.targetNamespaces']
                      Image:             registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:ecb9630cff475c1669ee845a898ac5cbb46e0301b9b421734eb3e971ef339b63
                      Name:              container-security-operator
                      Resources:
                      Volume Mounts:
                        Mount Path:        /extra-certs
                        Name:              extra-certs
                        Read Only:         true
                    Service Account Name:  container-security-operator
                    Volumes:
                      Name:  extra-certs
                      Secret:
                        Optional:     true
                        Secret Name:  container-security-operator-extra-certs
            Permissions:
              Rules:
                API Groups:
                  secscan.quay.redhat.com
                Resources:
                  imagemanifestvulns
                  imagemanifestvulns/status
                Verbs:
                  *
                API Groups:
                  
                Resources:
                  pods
                  events
                Verbs:
                  *
                API Groups:
                  
                Resources:
                  secrets
                Verbs:
                  get
              Service Account Name:  container-security-operator
          Strategy:                  deployment
        Install Modes:
          Supported:  true
          Type:       OwnNamespace
          Supported:  true
          Type:       SingleNamespace
          Supported:  true
          Type:       MultiNamespace
          Supported:  true
          Type:       AllNamespaces
        Keywords:
          open source
          containers
          security
        Labels:
          Alm - Owner - Container - Security - Operator:  container-security-operator
          Operated - By:                                  container-security-operator
        Links:
          Name:  Source Code
          URL:   https://github.com/quay/container-security-operator
        Maintainers:
          Email:   quay-devel@redhat.com
          Name:    Quay Engineering Team
        Maturity:  alpha
        Provider:
          Name:  Red Hat
        Related Images:
          Image:  registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:ecb9630cff475c1669ee845a898ac5cbb46e0301b9b421734eb3e971ef339b63
          Name:   quay-container-security-operator-rhel8-ecb9630cff475c1669ee845a898ac5cbb46e0301b9b421734eb3e971ef339b63-annotation
          Image:  registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:ecb9630cff475c1669ee845a898ac5cbb46e0301b9b421734eb3e971ef339b63
          Name:   container-security-operator
        Selector:
          Match Labels:
            Alm - Owner - Container - Security - Operator:  container-security-operator
            Operated - By:                                  container-security-operator
        Version:                                            3.6.0
      Status:
        Cleanup:
        Conditions:
          Last Transition Time:  2021-09-01T09:40:46Z
          Last Update Time:      2021-09-01T09:40:46Z
          Message:               requirements not yet checked
          Phase:                 Pending
          Reason:                RequirementsUnknown
          Last Transition Time:  2021-09-01T09:40:46Z
          Last Update Time:      2021-09-01T09:40:46Z
          Message:               one or more requirements couldn't be found
          Phase:                 Pending
          Reason:                RequirementsNotMet
        Last Transition Time:    2021-09-01T09:40:46Z
        Last Update Time:        2021-09-01T09:40:46Z
        Message:                 The operator is running in openshift-operators but is managing this namespace
        Phase:                   Pending
        Reason:                  Copied
        Requirement Status:
          Group:    apiextensions.k8s.io
          Kind:     CustomResourceDefinition
          Message:  CRD is not present
          Name:     imagemanifestvulns.secscan.quay.redhat.com
          Status:   NotPresent
          Version:  v1
          Group:    
          Kind:     ServiceAccount
          Message:  Service account does not exist
          Name:     container-security-operator
          Status:   NotPresent
          Version:  v1
      Events:       <none>
      

      Attachments

        Activity

          People

            hgovinda Harish Govindarajulu
            rhn-support-dyan Dongbo Yan
            Dongbo Yan Dongbo Yan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: