openshift 错误的 openshift 容器。io/scc
Openshift container with wrong openshift.io/scc
在 openshift 4.4.17 集群中有无法解释的行为:oauth-openshift 部署(在 openshift-authentication 命名空间中)有 replicas=2,第一个 pod 是 运行:
openshift.io/scc: anyuid
第二个 pod 进入 CrashLoopBackOff 状态,分配给它的 scc 如下:
openshift.io/scc: nginx-ingress-scc (that is a customized scc for nginx purposes)
通过文档:
默认情况下,openshift-authentication 和 openshift-authentication-operator 命名空间中的 pods 使用 anyuid SCC.
运行
我想集群中发生了某些更改,但我无法找出错误所在。
Oauth-penshift 部署采用默认配置:
serviceAccountName: oauth-openshift
namespace: openshift-authentication
$ oc get scc anyuid -o yaml
users:
system:serviceaccount:default:oauth-openshift
system:serviceaccount:openshift-authentication:oauth-openshift
system:serviceaccount:openshift-authentication:default
$ oc get pod -n openshift-authentication
NAME READY STATUS RESTARTS AGE
oauth-openshift-59f498986d-lmxdv 0/1 CrashLoopBackOff 158 13h
oauth-openshift-d4968bd74-ll7mn 1/1 Running 0 23d
$ oc logs oauth-openshift-59f498986d-lmxdv -n openshift-authentication
Copying system trust bundle
cp: cannot remove '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem': Permission denied
$ oc get pod oauth-openshift-59f498986d-lmxdv -n openshift-authentication -o=yaml|grep serviceAccount
serviceAccount: oauth-openshift
serviceAccountName: oauth-openshift
$ oc get pod oauth-openshift-59f498986d-lmxdv -n openshift-authentication -o=yaml|grep scc
openshift.io/scc: nginx-ingress-scc
授权操作员:
$ oc get pod -n openshift-authentication-operator
NAME READY STATUS RESTARTS AGE
authentication-operator-5498b9ddcb-rs9v8 1/1 Running 0 33d
$ oc get pod authentication-operator-5498b9ddcb-rs9v8 -n openshift-authentication-operator -o=yaml|grep scc
openshift.io/scc: anyuid
The managementState is set to Managed
问题是自定义scc(nginx-ingress-scc)的优先级高于10,也就是anyuid的优先级。
现在解决了。
首先,您应该检查您的SCC优先级是否是自定义的。例如,anyuid scc 优先级为 10,默认为最高。
但是,如果其他 SCC(在本例中为 nginx-ingress-scc)配置了超过 10 的优先级,则该 SCC 会意外地被 oauth pod 选择。可能会导致这个问题。
在 openshift 4.4.17 集群中有无法解释的行为:oauth-openshift 部署(在 openshift-authentication 命名空间中)有 replicas=2,第一个 pod 是 运行:
openshift.io/scc: anyuid
第二个 pod 进入 CrashLoopBackOff 状态,分配给它的 scc 如下:
openshift.io/scc: nginx-ingress-scc (that is a customized scc for nginx purposes)
通过文档:
默认情况下,openshift-authentication 和 openshift-authentication-operator 命名空间中的 pods 使用 anyuid SCC.
运行我想集群中发生了某些更改,但我无法找出错误所在。
Oauth-penshift 部署采用默认配置:
serviceAccountName: oauth-openshift
namespace: openshift-authentication
$ oc get scc anyuid -o yaml
users:
system:serviceaccount:default:oauth-openshift
system:serviceaccount:openshift-authentication:oauth-openshift
system:serviceaccount:openshift-authentication:default
$ oc get pod -n openshift-authentication
NAME READY STATUS RESTARTS AGE
oauth-openshift-59f498986d-lmxdv 0/1 CrashLoopBackOff 158 13h
oauth-openshift-d4968bd74-ll7mn 1/1 Running 0 23d
$ oc logs oauth-openshift-59f498986d-lmxdv -n openshift-authentication
Copying system trust bundle
cp: cannot remove '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem': Permission denied
$ oc get pod oauth-openshift-59f498986d-lmxdv -n openshift-authentication -o=yaml|grep serviceAccount
serviceAccount: oauth-openshift
serviceAccountName: oauth-openshift
$ oc get pod oauth-openshift-59f498986d-lmxdv -n openshift-authentication -o=yaml|grep scc
openshift.io/scc: nginx-ingress-scc
授权操作员:
$ oc get pod -n openshift-authentication-operator
NAME READY STATUS RESTARTS AGE
authentication-operator-5498b9ddcb-rs9v8 1/1 Running 0 33d
$ oc get pod authentication-operator-5498b9ddcb-rs9v8 -n openshift-authentication-operator -o=yaml|grep scc
openshift.io/scc: anyuid
The managementState is set to Managed
问题是自定义scc(nginx-ingress-scc)的优先级高于10,也就是anyuid的优先级。 现在解决了。
首先,您应该检查您的SCC优先级是否是自定义的。例如,anyuid scc 优先级为 10,默认为最高。
但是,如果其他 SCC(在本例中为 nginx-ingress-scc)配置了超过 10 的优先级,则该 SCC 会意外地被 oauth pod 选择。可能会导致这个问题。