Light

AKS spod STATE : UPDATING about security-profiles-operator HOT 12 CLOSED

sybadm commented on June 21, 2024

AKS spod STATE : UPDATING

from security-profiles-operator.

Comments (12)

sybadm commented on June 21, 2024 1

@sybadm may I ask you to verify the fix once https://prow.k8s.io/view/gs/kubernetes-jenkins/logs/post-security-profiles-operator-push-image/1729505403827392512 is successfull and we have an updated latest image tag?

you made my day!

$ kubectl -nsecurity-profiles-operator get spod spod
NAME   STATE
spod   RUNNING

from security-profiles-operator.

saschagrunert commented on June 21, 2024

Hey @sybadm, thank you for the request. Can you share the logs of the components of the SPO?

from security-profiles-operator.

sybadm commented on June 21, 2024

@saschagrunert thanks for your response


$ kubectl -nsecurity-profiles-operator describe spod spod
Name:         spod
Namespace:    security-profiles-operator
Labels:       app=security-profiles-operator
Annotations:  <none>
API Version:  security-profiles-operator.x-k8s.io/v1alpha1
Kind:         SecurityProfilesOperatorDaemon
Metadata:
  Creation Timestamp:  2023-11-27T10:06:54Z
  Generation:          1
  Managed Fields:
    API Version:  security-profiles-operator.x-k8s.io/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:labels:
          .:
          f:app:
      f:spec:
        .:
        f:disableOciArtifactSignatureVerification:
        f:hostProcVolumePath:
        f:priorityClassName:
        f:selinuxOptions:
          .:
          f:allowedSystemProfiles:
        f:selinuxTypeTag:
        f:staticWebhookConfig:
        f:tolerations:
    Manager:      security-profiles-operator
    Operation:    Update
    Time:         2023-11-27T10:06:54Z
    API Version:  security-profiles-operator.x-k8s.io/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
        f:state:
    Manager:         security-profiles-operator
    Operation:       Update
    Subresource:     status
    Time:            2023-11-27T10:06:56Z
  Resource Version:  34367601
  UID:               e6b68286-1acc-4bbf-8128-2139a1d55820
Spec:
  Disable Oci Artifact Signature Verification:  false
  Host Proc Volume Path:                        /proc
  Priority Class Name:                          system-node-critical
  Selinux Options:
    Allowed System Profiles:
      container
  Selinux Type Tag:       spc_t
  Static Webhook Config:  false
  Tolerations:
    Effect:    NoSchedule
    Key:       node-role.kubernetes.io/master
    Operator:  Exists
    Effect:    NoSchedule
    Key:       node-role.kubernetes.io/control-plane
    Operator:  Exists
    Effect:    NoExecute
    Key:       node.kubernetes.io/not-ready
    Operator:  Exists
Status:
  Conditions:
    Last Transition Time:  2023-11-27T10:06:56Z
    Message:
    Reason:                Updating
    Status:                False
    Type:                  Ready
  State:                   UPDATING
Events:
  Type     Reason            Age    From         Message
  ----     ------            ----   ----         -------
  Warning  CannotUpdateSPOD  4m40s  spod-config  updating operator DaemonSet: Operation cannot be fulfilled on daemonsets.apps "spod": the object has been modified; please apply your changes to the latest version and try again


$ kubectl logs --selector name=spod -n security-profiles-operator
Defaulted container "security-profiles-operator" out of: security-profiles-operator, metrics, non-root-enabler (init)
Defaulted container "security-profiles-operator" out of: security-profiles-operator, metrics, non-root-enabler (init)
Defaulted container "security-profiles-operator" out of: security-profiles-operator, metrics, non-root-enabler (init)
Defaulted container "security-profiles-operator" out of: security-profiles-operator, metrics, non-root-enabler (init)
I1127 10:07:01.469539       1 main.go:368] "watching all namespaces" logger="setup"
I1127 10:07:01.470743       1 main.go:497] "starting daemon" logger="setup"
I1127 10:07:01.470862       1 server.go:185] "Starting metrics server" logger="controller-runtime.metrics"
I1127 10:07:01.471000       1 server.go:224] "Serving metrics server" logger="controller-runtime.metrics" bindAddress=":8080" secure=false
I1127 10:07:01.471103       1 grpc.go:60] "Starting GRPC server API" logger="metrics"
I1127 10:07:01.471225       1 server.go:50] "starting server" kind="health probe" addr="[::]:8085"
I1127 10:07:01.471548       1 controller.go:178] "Starting EventSource" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile" source="kind source: *v1beta1.SeccompProfile"
I1127 10:07:01.471602       1 controller.go:178] "Starting EventSource" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile" source="kind source: *v1alpha1.SecurityProfilesOperatorDaemon"
I1127 10:07:01.471626       1 controller.go:186] "Starting Controller" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile"
I1127 10:07:01.616551       1 controller.go:220] "Starting workers" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile" worker count=1
I1127 10:07:00.961862       1 main.go:368] "watching all namespaces" logger="setup"
I1127 10:07:00.962685       1 main.go:497] "starting daemon" logger="setup"
I1127 10:07:00.962774       1 server.go:185] "Starting metrics server" logger="controller-runtime.metrics"
I1127 10:07:00.962866       1 server.go:224] "Serving metrics server" logger="controller-runtime.metrics" bindAddress=":8080" secure=false
I1127 10:07:00.963014       1 grpc.go:60] "Starting GRPC server API" logger="metrics"
I1127 10:07:00.963120       1 server.go:50] "starting server" kind="health probe" addr="[::]:8085"
I1127 10:07:00.963426       1 controller.go:178] "Starting EventSource" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile" source="kind source: *v1beta1.SeccompProfile"
I1127 10:07:00.963460       1 controller.go:178] "Starting EventSource" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile" source="kind source: *v1alpha1.SecurityProfilesOperatorDaemon"
I1127 10:07:00.963507       1 controller.go:186] "Starting Controller" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile"
I1127 10:07:01.212924       1 controller.go:220] "Starting workers" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile" worker count=1
I1127 10:09:49.944229       1 main.go:368] "watching all namespaces" logger="setup"
I1127 10:09:49.944229       1 grpc.go:60] "Starting GRPC server API" logger="metrics"
I1127 10:09:49.944709       1 main.go:497] "starting daemon" logger="setup"
I1127 10:09:49.944772       1 server.go:185] "Starting metrics server" logger="controller-runtime.metrics"
I1127 10:09:49.944787       1 server.go:50] "starting server" kind="health probe" addr="[::]:8085"
I1127 10:09:49.944823       1 server.go:224] "Serving metrics server" logger="controller-runtime.metrics" bindAddress=":8080" secure=false
I1127 10:09:49.944994       1 controller.go:178] "Starting EventSource" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile" source="kind source: *v1beta1.SeccompProfile"
I1127 10:09:49.945063       1 controller.go:178] "Starting EventSource" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile" source="kind source: *v1alpha1.SecurityProfilesOperatorDaemon"
I1127 10:09:49.945082       1 controller.go:186] "Starting Controller" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile"
I1127 10:09:50.082741       1 controller.go:220] "Starting workers" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile" worker count=1
I1127 10:06:59.662844       1 main.go:368] "watching all namespaces" logger="setup"
I1127 10:06:59.663220       1 grpc.go:60] "Starting GRPC server API" logger="metrics"
I1127 10:06:59.663491       1 main.go:497] "starting daemon" logger="setup"
I1127 10:06:59.663625       1 server.go:185] "Starting metrics server" logger="controller-runtime.metrics"
I1127 10:06:59.663721       1 server.go:224] "Serving metrics server" logger="controller-runtime.metrics" bindAddress=":8080" secure=false
I1127 10:06:59.663807       1 server.go:50] "starting server" kind="health probe" addr="[::]:8085"
I1127 10:06:59.663978       1 controller.go:178] "Starting EventSource" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile" source="kind source: *v1beta1.SeccompProfile"
I1127 10:06:59.664007       1 controller.go:178] "Starting EventSource" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile" source="kind source: *v1alpha1.SecurityProfilesOperatorDaemon"
I1127 10:06:59.664023       1 controller.go:186] "Starting Controller" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile"
I1127 10:06:59.830066       1 controller.go:220] "Starting workers" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile" worker count=1

from security-profiles-operator.

sybadm commented on June 21, 2024

I'm just going round and round. Before we look at it. Is 'security-profiles-operator' supported on AKS clusters without having OLM installed? I just learnt that OLM is not supported on AKS. If 'security-profiles-operator' does not support natively then its dead end.

from security-profiles-operator.

saschagrunert commented on June 21, 2024

@sybadm it should work, can you update the configuration and see if it gets into the right state?

from security-profiles-operator.

sybadm commented on June 21, 2024

@sybadm it should work, can you update the configuration and see if it gets into the right state?

Which configuration I need to update

from security-profiles-operator.

saschagrunert commented on June 21, 2024

@sybadm the spod, for example by setting the log level:

kubectl -n security-profiles-operator patch spod spod --type=merge -p '{"spec":{"verbosity":1}}'

from security-profiles-operator.

saschagrunert commented on June 21, 2024

@sybadm you don't have to install the OLM at all, but I think I can reproduce the issue on AKS.

from security-profiles-operator.

sybadm commented on June 21, 2024

@sybadm you don't have to install the OLM at all, but I think I can reproduce the issue on AKS.

Thanks you so much @saschagrunert for taking a look at it. Really appreciate your time.

As you suggested I tried , but no luck

kubectl -n security-profiles-operator patch spod spod --type=merge -p '{"spec":{"verbosity":1}}'

from security-profiles-operator.

saschagrunert commented on June 21, 2024

I have a fix in #1985

from security-profiles-operator.

sybadm commented on June 21, 2024

I have a fix in #1985

Excellent

from security-profiles-operator.

saschagrunert commented on June 21, 2024

@sybadm may I ask you to verify the fix once https://prow.k8s.io/view/gs/kubernetes-jenkins/logs/post-security-profiles-operator-push-image/1729505403827392512 is successfull and we have an updated latest image tag?

from security-profiles-operator.

Related Issues (20)

Release v0.8.1
getting owner profile: the node status owner is of an unknown kind HOT 3
Manage SELinux booleans HOT 10
tolerations not honoured HOT 4
AKS eBPF recording HOT 15
Can not re-install SPO HOT 1
ignore istio init container while eBPF profiling HOT 8
AppArmor does not work HOT 15
Release v0.8.2 HOT 1
[Question] Disable webhook deployment HOT 4
Seeing Policy Violations HOT 7
Security Profiles Operator should support dynamic infrastructures HOT 4
Release v0.8.3 HOT 1
deletion of a `SelinuxProfile` object hangs forever HOT 6
Proposal: Allow `spoc` to simultaneously record different profile types. HOT 2
Release v0.8.4 HOT 10
OLM tests are flaking HOT 3
Question: Distributing policies with images? HOT 4
AppArmor Profile not activated.
Update kubectl command in security-profiles-operator documentation HOT 1

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.