Uploaded image for project: 'Knative Serving'
  1. Knative Serving
  2. SRVKS-130

Serving Operator 0.6.0 does not add scc "privileged" for controller/default user

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • v0.6.0
    • v0.6.0
    • Operator
    • Serverless Sprint 168

      If the scc "privileged" is not added to controller/default user and Maistra (0.10) is already installed in Openshift, the knative-serving (and helloworld-go example) fails to work.

      Namely, activativator and autoscaler pods will fail to start, with error message:

      30m         Warning   FailedCreate        replicaset/activator-8485fbc46d                       Error creating: pods "activator-8485fbc46d-qbklf" is forbidden: unable to validate against any security context constraint: [spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed capabilities.add: Invalid value: "NET_ADMIN": capability may not be added spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 1337: must be in the ranges: [1000510000, 1000519999]]
30m         Warning   FailedCreate        replicaset/autoscaler-85f944d9bb                      Error creating: pods "autoscaler-85f944d9bb-9p8z4" is forbidden: unable to validate against any security context constraint: [spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed capabilities.add: Invalid value: "NET_ADMIN": capability may not be added spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 1337: must be in the ranges: [1000510000, 1000519999]]

      This can be fixed by

      oc adm policy add-scc-to-user privileged -z controller -n knative-serving
oc adm policy add-scc-to-user privileged -z default -n knative-serving

      presuming knative-serving CR was installed in the knative-serving namespace.

      Then the pods will start up and helloworld-go demo works.

      How to reproduce:
      Spin up OCP 4.1.0
      Install Maistra 0.10 from https://github.com/Maistra/istio-operator/blob/maistra-0.10/README.md
      Install knative-serving Operator from web console, add knative-serving CR from console (I created "knative-serving" ns and installed CR into that ns).
      In knative-serving namespace, check the events/check the running pods.

        1. us-west-2-491_20190611-043326.gz
          33 kB

              rhn-support-knakayam Kenjiro Nakayama (Inactive)
              mvinkler1@redhat.com Michal Vinkler
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: