-
Bug
-
Resolution: Done
-
Blocker
-
quay-v3.6.0
-
False
-
False
-
Quay Enterprise
-
Description of problem:
when install CSO via OLM, the installation is not completed, operator stuck in pending status, CRD imagemanifestvulns.secscan.quay.redhat.com is not created
Version-Release number of selected component (if applicable):
quay-container-security-operator-bundle-container-v3.6.0-16
- Index image v4.5: registry-proxy.engineering.redhat.com/rh-osbs/iib:104362
- Index image v4.6: registry-proxy.engineering.redhat.com/rh-osbs/iib:104366
- Index image v4.7: registry-proxy.engineering.redhat.com/rh-osbs/iib:104372
- Index image v4.8: registry-proxy.engineering.redhat.com/rh-osbs/iib:104375
- Index image v4.9: registry-proxy.engineering.redhat.com/rh-osbs/iib:104380
quay-container-security-operator-container-v3.6.0-22
- registry-proxy.engineering.redhat.com/rh-osbs/quay-quay-container-security-operator-rhel8@sha256:ecb9630cff475c1669ee845a898ac5cbb46e0301b9b421734eb3e971ef339b63
How reproducible:
Always
Steps to Reproduce:
1. Create catalogsource
2. Open openshift webconsole, install operator by operatorhub
3. Check operator status
Actual results:
operator stuck in pending status, CRD imagemanifestvulns.secscan.quay.redhat.com is not created
Expected results:
operator installs successfully
Additional info:
$ oc describe csv container-security-operator.v3.6.0
Name: container-security-operator.v3.6.0
Namespace: default
Labels: olm.api.ffe32d10d41a32e9=provided
olm.copiedFrom=openshift-operators
Annotations: alm-examples:
[
{
"apiVersion": "secscan.quay.redhat.com/v1alpha1",
"kind": "ImageManifestVuln",
"metadata": {
"selfLink": "/apis/secscan.quay.redhat.com/v1alpha1/namespaces/openshift-cluster-version/imagemanifestvulns/sha256.a7b23f38d1e5be975...
"resourceVersion": "14565395",
"name": "sha256.a7b23f38d1e5be975a6b516739689673011bdfa59a7158dc6ca36cefae169c18",
"uid": "3f16a188-e69a-406c-aa06-df340195409c",
"creationTimestamp": "2021-03-17T12:07:16Z",
"generation": 2,
"managedFields": [
{
"apiVersion": "secscan.quay.redhat.com/v1alpha1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:metadata": {
"f:labels": {
".": {},
"f:openshift-cluster-version/cluster-version-operator-b98ccdb7d-t5sq6": {}
}
},
"f:spec": {
".": {},
"f:features": {},
"f:image": {},
"f:manifest": {}
},
"f:status": {
".": {},
"f:affectedPods": {
".": {},
"f:openshift-cluster-version/cluster-version-operator-b98ccdb7d-t5sq6": {}
},
"f:fixableCount": {},
"f:highCount": {},
"f:highestSeverity": {},
"f:lastUpdate": {},
"f:lowCount": {},
"f:mediumCount": {}
}
},
"manager": "security-labeller",
"operation": "Update",
"time": "2021-03-17T13:07:20Z"
}
],
"namespace": "openshift-cluster-version",
"labels": {
"openshift-cluster-version/cluster-version-operator-b98ccdb7d-t5sq6": "true"
}
}
}
]
capabilities: Full Lifecycle
categories: OpenShift Optional, Security
containerImage:
registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:ecb9630cff475c1669ee845a898ac5cbb46e0301b9b421734eb3e971ef339b63
createdAt: 2021-08-25 17:08 UTC
description: Identify image vulnerabilities in Kubernetes pods
olm.operatorGroup: global-operators
olm.operatorNamespace: openshift-operators
olm.skipRange: >=3.5.x <3.6.0
operatorframework.io/properties:
{"properties":[{"type":"olm.gvk","value":{"group":"secscan.quay.redhat.com","kind":"ImageManifestVuln","version":"v1alpha1"}},{"type":"olm...
repository: https://github.com/quay/container-security-operator
tectonic-visibility: ocs
API Version: operators.coreos.com/v1alpha1
Kind: ClusterServiceVersion
Metadata:
Creation Timestamp: 2021-09-01T09:40:50Z
Generation: 1
Managed Fields:
API Version: operators.coreos.com/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:alm-examples:
f:capabilities:
f:categories:
f:containerImage:
f:createdAt:
f:description:
f:olm.operatorGroup:
f:olm.operatorNamespace:
f:olm.skipRange:
f:olm.targetNamespaces:
f:operatorframework.io/properties:
f:repository:
f:tectonic-visibility:
f:labels:
.:
f:olm.api.ffe32d10d41a32e9:
f:olm.copiedFrom:
f:spec:
.:
f:apiservicedefinitions:
f:cleanup:
.:
f:enabled:
f:customresourcedefinitions:
.:
f:owned:
f:description:
f:displayName:
f:icon:
f:install:
.:
f:spec:
.:
f:deployments:
f:permissions:
f:strategy:
f:installModes:
f:keywords:
f:labels:
.:
f:alm-owner-container-security-operator:
f:operated-by:
f:links:
f:maintainers:
f:maturity:
f:provider:
.:
f:name:
f:relatedImages:
f:selector:
.:
f:matchLabels:
.:
f:alm-owner-container-security-operator:
f:operated-by:
f:version:
f:status:
.:
f:cleanup:
f:conditions:
f:lastTransitionTime:
f:lastUpdateTime:
f:message:
f:phase:
f:reason:
f:requirementStatus:
Manager: olm
Operation: Update
Time: 2021-09-01T09:40:53Z
Resource Version: 643457
UID: 34b7544d-7e77-4aad-bc50-ec6d627c5810
Spec:
Apiservicedefinitions:
Cleanup:
Enabled: false
Customresourcedefinitions:
Owned:
Description: Represents a set of vulnerabilities in an image manifest.
Display Name: Image Manifest Vulnerability
Kind: ImageManifestVuln
Name: imagemanifestvulns.secscan.quay.redhat.com
Version: v1alpha1
Description: The Quay Container Security Operator (CSO) brings Quay and Clair metadata to Kubernetes / OpenShift. Starting with vulnerability information the scope will get expanded over time. If it runs on OpenShift, the corresponding vulnerability information is shown inside the OCP Console. The Quay Container Security Operator enables cluster administrators to monitor known container image vulnerabilities in pods running on their Kubernetes cluster. The controller sets up a watch on pods in the specified namespace(s) and queries the container registry for vulnerability information. If the container registry supports image scanning, such as [Quay](https://github.com/quay/quay) with [Clair](https://github.com/quay/clair), then the Operator will expose any vulnerabilities found via the Kubernetes API in an `ImageManifestVuln` object. This Operator requires no additional configuration after deployment, and will begin watching pods and populating `ImageManifestVulns` immediately once installed.
Display Name: Quay Container Security
Icon:
base64data: iVBORw0KGgoAAAANSUhEUgAAAGQAAABkCAYAAABw4pVUAAAACXBIWXMAAAsSAAALEgHS3X78AAANmElEQVR4nO2dfWxWVx3Hv/d5aWkpbYE5ZNA+DSB03WAlQx1IhIQxTJyhSzY1SrI5tsQ/TISoMcaYsfiHLnGuJv6xhDFYYkx8iStRk7mOMBKkqEzKNmrBsfVpgYmOrm/07Xm55vf0nHJ7z733Oefcc9tC+0mawj2X9nmeL9/fOef3O+dcy7ZtzGY6U9Z2AI0A6tj3agD3Sb7kcwD6ALQD6KLv9Wn7TeGuWcSsEqQzZdGHvd3xJfvBq0JCvcm/6tN2X3TvSo0ZF4SJ0MS+dgs3TA9HAbTQ10yLM2OCsFD0BIDHhcaZ5RUAR2YqtE27IJ0pi0TYF2E4MgWFteb6tH1kOn/ptAnChDgAICU0zm7S9LqnS5jIBWGhiYTYJjTeWpxgwkQayiIThHXWzbOwjwgL9TH7our8IxGkM2XRiIksXiU03h7004CkPm23mH43RgVhrqDw9G2h8fbkFyyMGXOLMUE6U1YdG8vP9tGTaWg01lSftrtM/NyYcEUD1nG3z0ExwN5zO/sMQhNaEDacPX4b9xcy0Hs/zj6LUIQShL2Aw0LD3OVwWFG0BZkXw5fD/6yxfurXWAytTn1eDH8Gc8CoDSyI4dCne+ynfG/0Qdkh82L4w8UgRvPY+48a6yXfm31QcggbSRwXGuaZIoaTshj2b+qxm4UGH6QFYfOMdhOjqXhlNVaf6kJskfyPGhkZQfuLL2Bx8w+FtiCWP38EVY+qZW/+/qejqPje1xEbviG0eeEnBmEBdlkMn7+/xz4pNHogFbLYDLzF1NC2YleTkhiF19B2EoN165AvXyi0+UHCL9rV5NPqTW9vL3oTpRhu3OLZ7iZIDMIGrDEbr79VY0lluWX7kAMmJ3137D8gXAuC3HFtPId82UIM7Hgk4M6pLN67T0t4ou/hPUKbm2JicHI2yrI2pPJeRQVhiUJjuamqx55AcoVaSaT7X+cn/zywo0nKJeSOJXv3CdeDIOEH4iWFO7JL78TQlp2+d8uKwRm30XimxvqJ0OAiUBAWqowWZlTdkclk0H31w8m/y7okjDs4fi5RFYMzmsf3i4WuQEFYPcNYSoTiuao73n/nHHKJ5JRr5JJi6LiDwqITcslw4+Yp13TFAOtPsjaOCQ0OfAVhQ1yjxaXFT6p9SG53cMglQeGEwmJYd3CcbgwjBmfcxuozNZbvB+ErCOvIjVH+wHaUP6BWxe3peFdwB8cvnEAzLLrdwRldux6jazcYEWPy99l4RrjI8BSEzcaN1sBVPySiq7tbuMbx63R1Bg0UFoO4/vAeY2IQWRvVfrN4T0FmgzsuX3oP48lS4boTL5eEHTR4kVm3Hrl1Gzxa9BnPe3cHgiDMHUaX6tD/WlUudpwv+i/cna6pQYMX2a2iG8OQBxJeLhEEYYvYjJFcWaecupBxB8fZ6ZoaNHiR3fIg7DuWebTok7HxNfc/niIIG1kZLcPq9B3dnR3CNT94p6sTFq91p6XcwRnfLYbIMNAM3j3icjskdAnSiY47BgYGJmfLsvR9aY+W8DJh0UkULsnZ+Jbz75OCsFm50XmHzoeUaW1BbEQuy8ohl6i6Iz/Yj9JzfxOuF8O0S2he4py9Ox2ilhYtgk6mlej7+TOoPKa2/qwyNy5cK0bvoWZU/eHlIneJ5DZuhq2QcZYhD/yI3xaZIDq5pP7fv4LM5S5UHntVySX1m7cK14Igd3x8qBmJ69dQ0fZGwJ0idtlCZHbKZ5xlyNn4Ir+tIAgLV8Y2y+hkWon+303kMakwVN7eJrR7Qe5YsmSJR4s/g39pQW5gYrFh7GSr731+ZHc2GXVJxsYnedjiDjGyyIuj447h0ycwfPrmwvLqP/5KuMcLVXcQH70w0bdROiTX+TbiF94R7gkiCpfYwDcRlSA6E0H+IXFkwkl5ZkzZHTwsOnNTyaNy4jvJfs7sRDFn4wuIQhCdXJLbHZxiLlnVcI9wrRgkvDtRGL+g4ZKldxoVJQesg0OQGSvPEh+/7L0og1xSfs67LynJjGHl6jXC9SCGXj+K3nSXZ6Iw2fqqcK0YJofANEmk7zFTi4Sh6Y7MlXShk/Wj8g3vtrUa7rh8sNlTDCJ+tg3W9f8K14Mw7RKatcfYZnwj6LjD3Xe4WXDxbSy4ODWc6Lhj8PQJ/O+UGBan/FyNvsSkS2wb22LshITQUC5Jxx18qBuEuy+pq60NuNubD34WLDyR+GurlktMpebzQJ0xh0ThDo7TJfFsBjUN9wr3BNHfdgL9bcHu4Oi4JGPIJVyQaqFFEZ1MK82WhwL6DjcVbRMTuNq7liOZlM/QEtd+K79wJn72FCzFXFrOUAHLBkpjJkZYOu6gXBKfLctQcaoVZYN9WLVe7eWOXU4rCWIN30CiVX0vpwmX0EjLq0ClxIKGRi13UC5JlU0N65TdkX5e/T8LDYF1XJKvXSVcVyW0IIs1claq7gALiwvv2ShcD0LVHRxtlxhIp4QSRKcARei4Qycs6riDozNRNFHACiWIzodEuSQdd6iGxexgP66/pr+vv+CSU8G5NC/CzkuMbIuexxyhBJGdRzihEEf1EhUo8UgJSBUSi6qw7Cv6SwSo3kEhSBWdeYyTUIJQGptCkCo6AwEd8Vc8pb+iSaeDphBnfXRNuK5C6JCl80FRNVHHJTfOnxWuB1G6MoVlX1Z3ScEdO9Ur2mHdAROCkEtUwwlVE3VccqbjQmFxmwqp72isfNn5SKEqqALVU8K6A0yQ4JXGEkyHS2hh9cii6qILo92oukTXHTpVRzdxCyMxdq5tKHQ6XXJJhcIyoaHNE3WH9NUPlV2iIkhu4xYtd1DVMSwWMBZjW51Do+MS2XkMLRWlxXBEPpFEuuNd4Z4gqjZvQ9VmuTqczjzChDswEa66YuzE59CQS6i+ofRGVqSkFkRcd207SHepv2SZvoSqf1TfUIHqJybcAYcgRhyCiFzSu2ZDYX+Gk0xpGbovvSfcG4SMS3TcYWJkxbEsnIiZPGWTqn8mXUKrQ2486N3P/FtxoTSx4mn/kZ2uO6jKaAo6goMPe0OPtDh6s3dREBJjZOmywlpaLzLJUmWXLN21GwtqvCvWOosVTLqDRlhwzENm1CWUOKQEIoevmyoWQt7XcEmtR19C1b6cKywWw7Q74sAFRCEIHGt0VeB9CReD0tjFckmjydLC2SQqLHvsccElOtU+k2JgwiGvISpBqN5BVUEVCun1z2yfXDcl28F2+OwvD8LpEi13jNzQqpcEYQEvggvCzp09GnC/ElTv6NUoQi1mEziaLfv1HW6G4iVaLkmwLIHOZk6qJlqSRzfJkLTwn/t77EKcd+ayjJ7SrOMSHk5Uc0k6LqERl0xYdBOFO+IW/sz/HJkg5BKdvmTFd59VziUNKe5JJO56eh+yjz4pXC9GYTGdQXdgQoQfO/48AQtb6sWNAHTCVsVDTVq5JFoMpwIVsOzGzyq/vqTG4ocgSixc4uEKHul3o0cx6RSwKisrUaG4Z5BySToLGj6luGDbRAHKTdzCL52XpgjCZu3GJonQnCjW1jcI1/zgmVZaKqrqkuW1KcSy8pljkxNBsMmg+4BMrwKVepwJQMcltavXIJkZE6574exgr7yk9tJp0R0tTZUhCnckLfzafU0QhD3aR22qXQSdzl0mnBQyrWdvbuihZT+0OE6F1evvk3JJQmNzaBAxIOt10LIgCMPoaUCUmh9ULGDJuMQrhKj2JTIuMVWAclIS8x5AeQrCXKL2CQZA6RCZ/RluUgH7QPxySbR0VMclQZgqQHESFvq83AE/QRhGXMJzUzqdbqrhXt9w4uUOjo5LPlESF64jInckLTwrXGT4CsJGXJ62ksW929VUp0uzZS93cMglWcUsQYPPfnfTs3KadwQdPe4rCGMfewCWMl5nFJrqdGVWpl896PuePSkrKxNc4h40hIWOHU9Y2BH0YwIFYbN3sXpUBC8xOGE7Xdlc0pWDzaFdEhQWdVgQw3POWbkXgYJgQpQW9jQyKYLEgGanm7r75hBYNtOaHejTcgnPEvgNGnQpsdC+qcf+QbF/rnL2e9EZvOxRqqou4eFENdMaxiWmy7MJS+60JSlBWOhqCupPVM61pb5E54Mq/eCCUqaVXKK6R4TOTqnKjhU2f5qA+o1SCw8VC1UcIw90MXnI8O1GWQxf3dRj/0b2bSkttmZD4W84r82L4Q89h0pFDOisfmez+IIo82L4M20PBQMTZTiP5+bF8EZXDIR9Fi6dzExPIxMa5jBhxEDYDTv0i+kFCA1zlLBiwMQOKnoB9Gg4q3BUx9yEPYltf1gxYPLx3W/VWFvpaWT8ZLS5Ak362DxDfS2SB8b2qdMLKrVwN6UIhMbbFHqv9J5NiQGTDnFCTyOjB2DZBTffflCIokShTG5KlUgEwUQIS9EDsOhsc6HxFobqGZRCl02FqBKZIBw62JGeuUSP+REabyGo7EqVvqDikgkiF4RDcxZ6zA89WUZonMXQ6hBakGBiBCXDtAnCIWHoyTKzfTRGoydaNzVdQnCmXRAOhTJ6mMls62Ooj6DlnVGHJj9mTBAOdf70/Ax6ZAM9JUC4YRqg/Rm0JYBWoUfVWcsy44I4IXHoKQF0MD2dhR5VWKNwRHv6aBsZ7VyaaRGczCpBvKDQRic+05m29EVHqcoKRR88O66CNuR30T7wmQpFUgD4Px6QRGRh7pGzAAAAAElFTkSuQmCC
Mediatype: image/png
Install:
Spec:
Deployments:
Name: container-security-operator
Spec:
Replicas: 1
Selector:
Match Labels:
Name: container-security-operator-alm-owned
Strategy:
Template:
Metadata:
Creation Timestamp: <nil>
Labels:
Name: container-security-operator-alm-owned
Name: container-security-operator-alm-owned
Spec:
Containers:
Command:
/bin/security-labeller
--namespaces=$(WATCH_NAMESPACE)
--extraCerts=/extra-certs
Env:
Name: MY_POD_NAMESPACE
Value From:
Field Ref:
Field Path: metadata.namespace
Name: MY_POD_NAME
Value From:
Field Ref:
Field Path: metadata.name
Name: WATCH_NAMESPACE
Value From:
Field Ref:
Field Path: metadata.annotations['olm.targetNamespaces']
Image: registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:ecb9630cff475c1669ee845a898ac5cbb46e0301b9b421734eb3e971ef339b63
Name: container-security-operator
Resources:
Volume Mounts:
Mount Path: /extra-certs
Name: extra-certs
Read Only: true
Service Account Name: container-security-operator
Volumes:
Name: extra-certs
Secret:
Optional: true
Secret Name: container-security-operator-extra-certs
Permissions:
Rules:
API Groups:
secscan.quay.redhat.com
Resources:
imagemanifestvulns
imagemanifestvulns/status
Verbs:
*
API Groups:
Resources:
pods
events
Verbs:
*
API Groups:
Resources:
secrets
Verbs:
get
Service Account Name: container-security-operator
Strategy: deployment
Install Modes:
Supported: true
Type: OwnNamespace
Supported: true
Type: SingleNamespace
Supported: true
Type: MultiNamespace
Supported: true
Type: AllNamespaces
Keywords:
open source
containers
security
Labels:
Alm - Owner - Container - Security - Operator: container-security-operator
Operated - By: container-security-operator
Links:
Name: Source Code
URL: https://github.com/quay/container-security-operator
Maintainers:
Email: quay-devel@redhat.com
Name: Quay Engineering Team
Maturity: alpha
Provider:
Name: Red Hat
Related Images:
Image: registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:ecb9630cff475c1669ee845a898ac5cbb46e0301b9b421734eb3e971ef339b63
Name: quay-container-security-operator-rhel8-ecb9630cff475c1669ee845a898ac5cbb46e0301b9b421734eb3e971ef339b63-annotation
Image: registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:ecb9630cff475c1669ee845a898ac5cbb46e0301b9b421734eb3e971ef339b63
Name: container-security-operator
Selector:
Match Labels:
Alm - Owner - Container - Security - Operator: container-security-operator
Operated - By: container-security-operator
Version: 3.6.0
Status:
Cleanup:
Conditions:
Last Transition Time: 2021-09-01T09:40:46Z
Last Update Time: 2021-09-01T09:40:46Z
Message: requirements not yet checked
Phase: Pending
Reason: RequirementsUnknown
Last Transition Time: 2021-09-01T09:40:46Z
Last Update Time: 2021-09-01T09:40:46Z
Message: one or more requirements couldn't be found
Phase: Pending
Reason: RequirementsNotMet
Last Transition Time: 2021-09-01T09:40:46Z
Last Update Time: 2021-09-01T09:40:46Z
Message: The operator is running in openshift-operators but is managing this namespace
Phase: Pending
Reason: Copied
Requirement Status:
Group: apiextensions.k8s.io
Kind: CustomResourceDefinition
Message: CRD is not present
Name: imagemanifestvulns.secscan.quay.redhat.com
Status: NotPresent
Version: v1
Group:
Kind: ServiceAccount
Message: Service account does not exist
Name: container-security-operator
Status: NotPresent
Version: v1
Events: <none>
