Error: unable to validate against any security context constraint

[abergmeier]

Bug Report

When upgrading our working Operator from 0.11 to 0.12, we get an error:

{"level":"info","ts":1578325947.633696,"logger":"controller_datapipeline","msg":"Reconciling DataPipeline","Request.Namespace":"foo","Request.Name":"bar"}
{"level":"error","ts":1578325947.7305346,"logger":"controller-runtime.controller","msg":"Reconciler error","controller":"datapipeline-controller","request":"foo/bar","error":"pods \"bar-pod\" is forbidden: unable to validate against any security context constraint: []","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/tmp/src/vendor/github.com/go-logr/zapr/zapr.go:128\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/tmp/src/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:218\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/tmp/src/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:192\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\t/tmp/src/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:171\nk8s.io/apimachinery/pkg/util/wait.JitterUntil.func1\n\t/tmp/src/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:152\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/tmp/src/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:153\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/tmp/src/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88"}

Our Operator tries to deploy a Pod named bar-pod using controllerutil.CreateOrUpdate.

What did you do?

Deployed our Operator using SDK 0.12.

What did you expect to see?

Should just reconcile fine.

Environment

• operator-sdk version:

  operator-sdk version: "v0.12.0", commit: "2445fcda834ca4b7cf0d6c38fba6317fb219b469", go version: "go1.13.3 linux/amd64"

• go version:

go version go1.13.1 linux/amd64

• Kubernetes version information:

Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.0", GitCommit:"70132b0f130acc0bed193d9ba59dd186f0e634cf", GitTreeState:"clean", BuildDate:"2019-12-07T21:20:10Z", GoVersion:"go1.13.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.0+d4cacc0", GitCommit:"d4cacc0", GitTreeState:"clean", BuildDate:"2019-08-01T23:56:00Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}

• Kubernetes cluster kind: The operator is running on OpenShift 3.11.

• Are you writing your operator in ansible, helm, or go? go

[camilamacedo86]

The OpenShift 3.11 will use a k8s API which is no longer supported after the 0.9 version of SDK. Then, issues also can be faced. Could you please check it in the Minikube and/or OCP 4.X which will use API compatible versions and let us know if you still facing the same issue?

[joelanford]

@abergmeier That's a interesting error message. If you Google "unable to validate against any security context constraint", you get a bunch of results where the brackets have some clue about what's wrong. In your case, it's totally empty. Not sure how that happens.

I would agree with @camilamacedo86 that the version skew between Operator SDK 0.12 (which uses kubernetes 1.15 client libraries) and your cluster may be an issue. It would be helpful to know if you experience the same issue on a more recent cluster.

I know controllerutils.CreateOrUpdate is doing quite a bit under the hood. But any chance you could debug more and figure out exactly which call to the API server is causing this error? It seems like it's probably a write (e.g. creating or updating the pod), but it would be good to know for sure.

[joelanford]

@abergmeier Hopefully you solved your problem, but if not let us know and we can re-open to continue troubleshooting!