Openshift容器具有错误的Openshift.io/scc
在openshift 4.4.17集群中有无法解释的行为:oauth openshift部署(在openshift身份验证命名空间中)的副本数为2,第一个pod运行时使用:Openshift容器具有错误的Openshift.io/scc,openshift,Openshift,在openshift 4.4.17集群中有无法解释的行为:oauth openshift部署(在openshift身份验证命名空间中)的副本数为2,第一个pod运行时使用: openshift.io/scc: anyuid 第二个pod进入CrashLoopBackOff状态,分配给它的scc如下: openshift.io/scc: nginx-ingress-scc (that is a customized scc for nginx purposes) 通过文件: 默认情况下,ope
openshift.io/scc: anyuid
openshift.io/scc: nginx-ingress-scc (that is a customized scc for nginx purposes)
serviceAccountName: oauth-openshift
namespace: openshift-authentication
$ oc get scc anyuid -o yaml
users:
system:serviceaccount:default:oauth-openshift
system:serviceaccount:openshift-authentication:oauth-openshift
system:serviceaccount:openshift-authentication:default
$ oc get pod -n openshift-authentication
NAME READY STATUS RESTARTS AGE
oauth-openshift-59f498986d-lmxdv 0/1 CrashLoopBackOff 158 13h
oauth-openshift-d4968bd74-ll7mn 1/1 Running 0 23d
$ oc logs oauth-openshift-59f498986d-lmxdv -n openshift-authentication
Copying system trust bundle
cp: cannot remove '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem': Permission denied
$ oc get pod oauth-openshift-59f498986d-lmxdv -n openshift-authentication -o=yaml|grep serviceAccount
serviceAccount: oauth-openshift
serviceAccountName: oauth-openshift
$ oc get pod oauth-openshift-59f498986d-lmxdv -n openshift-authentication -o=yaml|grep scc
openshift.io/scc: nginx-ingress-scc
$ oc get pod -n openshift-authentication-operator
NAME READY STATUS RESTARTS AGE
authentication-operator-5498b9ddcb-rs9v8 1/1 Running 0 33d
$ oc get pod authentication-operator-5498b9ddcb-rs9v8 -n openshift-authentication-operator -o=yaml|grep scc
openshift.io/scc: anyuid
The managementState is set to Managed
问题是定制的scc(nginx入口scc)的优先级高于10,即anyuid的优先级。
现在问题已经解决。问题在于定制的scc(nginx入口scc)的优先级高于10,即anyuid的优先级。
现在已解决。首先,您应该检查您的SCC优先级是否已自定义。例如,
anyuid但如果其他SCC(在这种情况下,
nginx入口SCCanyuid但如果其他SCC(在这种情况下,
nginx入口SCC