Bug Report
The k8s cluster opens the psp policy, and the operator installation through olm will fail. because of the job in the namespace olm use default serviceaccount.
related issue
What did you do?
A clear and concise description of the steps you took (or insert a code snippet).
- install olm
kubectl apply -f crds.yaml
kubectl apply -f olm.yaml
filepath: quickstart
- install etcd operator
apiVersion: v1
kind: Namespace
metadata:
name: my-etcd
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: operatorgroup
namespace: my-etcd
spec:
targetNamespaces:
- my-etcd
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: my-etcd
namespace: my-etcd
spec:
channel: singlenamespace-alpha
name: etcd
source: operatorhubio-catalog
sourceNamespace: olm
What did you expect to see?
A clear and concise description of what you expected to happen (or insert a code snippet).
etce operator can be installed normally.
What did you see instead? Under which circumstances?
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreate 6m58s (x15 over 65m) job-controller Error creating: pods "fe3359f072ef3976d6cf0d56c20a540531916356d88290cd72c0b5916672ca0-" is forbidden: unable to validate against any pod security policy: []
Environment
- operator-lifecycle-manager version:
0.17.0
- Kubernetes version information:
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.8", GitCommit:"37996579a3bc0da0dad9ed07929115d8a6c4b28c", GitTreeState:"clean", BuildDate:"2020-08-18T10:49:04Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.8", GitCommit:"719f645b9670949cde39510176c1a7a61c4039a0", GitTreeState:"clean", BuildDate:"2020-08-18T09:53:48Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}
Possible Solution
- clusterrolebinding is associated with the default serviceaccount of the olm namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: olm-operator-binding-olm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:controller:operator-lifecycle-manager
subjects:
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: olm
- kind: ServiceAccount
name: default
namespace: olm
- add
olm sa for the job
|
func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string) *batchv1.Job { |
Bug Report
The k8s cluster opens the psp policy, and the operator installation through olm will fail. because of the job in the namespace
olmuse default serviceaccount.related issue
What did you do?
A clear and concise description of the steps you took (or insert a code snippet).
filepath: quickstart
What did you expect to see?
A clear and concise description of what you expected to happen (or insert a code snippet).
etce operator can be installed normally.
What did you see instead? Under which circumstances?
Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning FailedCreate 6m58s (x15 over 65m) job-controller Error creating: pods "fe3359f072ef3976d6cf0d56c20a540531916356d88290cd72c0b5916672ca0-" is forbidden: unable to validate against any pod security policy: []Environment
0.17.0
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.8", GitCommit:"37996579a3bc0da0dad9ed07929115d8a6c4b28c", GitTreeState:"clean", BuildDate:"2020-08-18T10:49:04Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.8", GitCommit:"719f645b9670949cde39510176c1a7a61c4039a0", GitTreeState:"clean", BuildDate:"2020-08-18T09:53:48Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}
Possible Solution
olmsa for the joboperator-lifecycle-manager/pkg/controller/bundle/bundle_unpacker.go
Line 68 in 5eb1fa6