Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The operator cannot be installed normally in a cluster with psp #2066

Open
0xff-dev opened this issue Mar 30, 2021 · 1 comment
Open

The operator cannot be installed normally in a cluster with psp #2066

0xff-dev opened this issue Mar 30, 2021 · 1 comment
Assignees
@kevinrizza
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Milestone
0.22.0

Comments

@0xff-dev
Copy link

Bug Report

The k8s cluster opens the psp policy, and the operator installation through olm will fail. because of the job in the namespace olm use default serviceaccount.
related issue

What did you do?
A clear and concise description of the steps you took (or insert a code snippet).

  1. install olm
kubectl apply -f crds.yaml
kubectl apply -f olm.yaml

filepath: quickstart

  1. install etcd operator
apiVersion: v1
kind: Namespace
metadata:
  name: my-etcd
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: operatorgroup
  namespace: my-etcd
spec:
  targetNamespaces:
  - my-etcd
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: my-etcd
  namespace: my-etcd
spec:
  channel: singlenamespace-alpha
  name: etcd
  source: operatorhubio-catalog
  sourceNamespace: olm

What did you expect to see?
A clear and concise description of what you expected to happen (or insert a code snippet).
etce operator can be installed normally.

What did you see instead? Under which circumstances?

Events:
  Type     Reason            Age                   From            Message
  ----     ------            ----                  ----            -------
  Warning  FailedCreate      6m58s (x15 over 65m)  job-controller  Error creating: pods "fe3359f072ef3976d6cf0d56c20a540531916356d88290cd72c0b5916672ca0-" is forbidden: unable to validate against any pod security policy: []

Environment

  • operator-lifecycle-manager version:
    0.17.0
  • Kubernetes version information:

Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.8", GitCommit:"37996579a3bc0da0dad9ed07929115d8a6c4b28c", GitTreeState:"clean", BuildDate:"2020-08-18T10:49:04Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.8", GitCommit:"719f645b9670949cde39510176c1a7a61c4039a0", GitTreeState:"clean", BuildDate:"2020-08-18T09:53:48Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}

Possible Solution

  1. clusterrolebinding is associated with the default serviceaccount of the olm namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: olm-operator-binding-olm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:controller:operator-lifecycle-manager
subjects:
- kind: ServiceAccount
  name: olm-operator-serviceaccount
  namespace: olm
- kind: ServiceAccount
  name: default
  namespace: olm
  1. add olm sa for the job

    operator-lifecycle-manager/pkg/controller/bundle/bundle_unpacker.go

    Line 68 in 5eb1fa6

    func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string) *batchv1.Job {
@0xff-dev 0xff-dev added the kind/bug Categorizes issue or PR as related to a bug. label Mar 30, 2021
@joelanford joelanford added this to the 0.19.0 milestone Apr 1, 2021
@joelanford joelanford assigned joelanford and kevinrizza and unassigned joelanford Apr 1, 2021
@joelanford joelanford added good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. and removed kind/bug Categorizes issue or PR as related to a bug. labels Apr 1, 2021
@dinhxuanvu
Copy link
Member

A potential solution is to create a separate ServiceAccount for the new CatalogSource that is created in that namespace instead of using the default ServiceAccount.
Will need to look into this issue further.

@dinhxuanvu dinhxuanvu removed the good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. label Aug 19, 2021
@dinhxuanvu dinhxuanvu modified the milestones: 0.19.0, 0.20.0 Aug 19, 2021
@joelanford joelanford removed the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Aug 19, 2021
@awgreene awgreene modified the milestones: 0.20.0, 0.21.0 Jan 7, 2022
@exdx exdx modified the milestones: 0.21.0, 0.22.0 Mar 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kevinrizza kevinrizza

Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
0.22.0
Development

No branches or pull requests
6 participants
@joelanford @kevinrizza @awgreene @dinhxuanvu @0xff-dev @exdx