search

operator-framework / operator-lifecycle-manager

A management framework for extending Kubernetes with Operators
https://olm.operatorframework.io
Apache License 2.0
1.72k stars 545 forks source link

The operator cannot be installed normally in a cluster with psp #2066

Open 0xff-dev opened 3 years ago

0xff-dev commented 3 years ago

Bug Report

The k8s cluster opens the psp policy, and the operator installation through olm will fail. because of the job in the namespace olm use default serviceaccount. related issue

What did you do? A clear and concise description of the steps you took (or insert a code snippet).

  1. install olm

    kubectl apply -f crds.yaml
kubectl apply -f olm.yaml

    filepath: quickstart

  2. install etcd operator

    
apiVersion: v1
kind: Namespace
metadata:
name: my-etcd
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: operatorgroup
namespace: my-etcd
spec:
targetNamespaces:
- my-etcd
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: my-etcd
namespace: my-etcd
spec:
channel: singlenamespace-alpha
name: etcd
source: operatorhubio-catalog
sourceNamespace: olm

**What did you expect to see?**
A clear and concise description of what you expected to happen (or insert a code snippet).
etce operator can be installed normally.

**What did you see instead? Under which circumstances?**
```shell
Events:
  Type     Reason            Age                   From            Message
  ----     ------            ----                  ----            -------
  Warning  FailedCreate      6m58s (x15 over 65m)  job-controller  Error creating: pods "fe3359f072ef3976d6cf0d56c20a540531916356d88290cd72c0b5916672ca0-" is forbidden: unable to validate against any pod security policy: []

Environment

Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.8", GitCommit:"37996579a3bc0da0dad9ed07929115d8a6c4b28c", GitTreeState:"clean", BuildDate:"2020-08-18T10:49:04Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.8", GitCommit:"719f645b9670949cde39510176c1a7a61c4039a0", GitTreeState:"clean", BuildDate:"2020-08-18T09:53:48Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}

Possible Solution

  1. clusterrolebinding is associated with the default serviceaccount of the olm namespace.

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: olm-operator-binding-olm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:controller:operator-lifecycle-manager
subjects:
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: olm
- kind: ServiceAccount
name: default
namespace: olm

  2. add olm sa for the job https://github.com/operator-framework/operator-lifecycle-manager/blob/5eb1fa6ad6ecfbf1263a145e54e5bd181a078097/pkg/controller/bundle/bundle_unpacker.go#L68

dinhxuanvu commented 3 years ago

A potential solution is to create a separate ServiceAccount for the new CatalogSource that is created in that namespace instead of using the default ServiceAccount. Will need to look into this issue further.