search

antrea-io / antrea

Kubernetes networking based on Open vSwitch
https://antrea.io
Apache License 2.0
1.67k stars 367 forks source link

`antctl check cluster` doesn't work on OpenShift cluster #6596

Open luolanzone opened 3 months ago

luolanzone commented 3 months ago

I was trying 'antctl check cluster' in an OCP 4.16 cluster and found following errors:

$antctl check cluster
[lan-ocp416-antrea-11] Creating Namespace antrea-test-u6k5i for pre installation tests...
[lan-ocp416-antrea-11] Creating Deployment
[lan-ocp416-antrea-11] Waiting for Deployment to become ready
[lan-ocp416-antrea-11] Waiting for Deployment cluster-checker to become ready...
Error: error while waiting for Deployment to become ready: waiting for Deployment cluster-checker to become ready has been interrupted: error checking readiness of Deployment cluster-checker: client rate limiter Wait returned an error: rate: Wait(n=1) would exceed context deadline

And after checking the logs in K8s API server, looks like it's forbidden to create a deployment from antctl:

E0808 03:26:39.446753      15 patch_podspecextractor.go:100] "failed to mutate object for PSA using SCC" err="pods \"pod-for-container-named-cluster-checker-c487c846b\" is forbidden: unable to validate against any security context constraint: [provider \"anyuid\": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, spec.volumes[0]: Invalid value: \"hostPath\": hostPath volumes are not allowed to be used, spec.volumes[1]: Invalid value: \"hostPath\": hostPath volumes are not allowed to be used, provider restricted-v2: .containers[0].capabilities.add: Invalid value: \"SYS_MODULE\": capability may not be added, provider restricted-v2: .containers[0].hostNetwork: Invalid value: true: Host network is not allowed to be used, provider \"restricted\": Forbidden: not usable by user or serviceaccount, provider \"nonroot-v2\": Forbidden: not usable by user or serviceaccount, provider \"nonroot\": Forbidden: not usable by user or serviceaccount, provider \"hostmount-anyuid\": Forbidden: not usable by user or serviceaccount, provider \"machine-api-termination-handler\": Forbidden: not usable by user or serviceaccount, provider \"hostnetwork-v2\": Forbidden: not usable by user or serviceaccount, provider \"hostnetwork\": Forbidden: not usable by user or serviceaccount, provider \"hostaccess\": Forbidden: not usable by user or serviceaccount, provider \"node-exporter\": Forbidden: not usable by user or serviceaccount, provider \"privileged\": Forbidden: not usable by user or serviceaccount]"
E0808 03:26:39.446922      15 patch_podspecextractor.go:101] failed to mutate object for PSA using SCC: pods "pod-for-container-named-cluster-checker-c487c846b" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, provider restricted-v2: .containers[0].capabilities.add: Invalid value: "SYS_MODULE": capability may not be added, provider restricted-v2: .containers[0].hostNetwork: Invalid value: true: Host network is not allowed to be used, provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
github-actions[bot] commented 6 days ago

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days. You can add a label "lifecycle/frozen" to skip stale checking.