openshift - 带有错误 openshift.io/scc 的 Openshift 容器

问题描述

在 openshift 4.4.17 集群中出现无法解释的行为：oauth-openshift 部署（在 openshift-authentication 命名空间中）具有副本 = 2，第一个 pod 正在运行：

openshift.io/scc: anyuid

第二个 pod 进入 CrashLoopBackOff 状态，分配给它的 scc 如下：

openshift.io/scc: nginx-ingress-scc (that is a customized scc for nginx purposes)

通过文档：

默认情况下，openshift-authentication 和 openshift-authentication-operator 命名空间内的 pod 使用 anyuid SCC 运行。

我想集群中已经发生了一些变化，但我无法弄清楚错误在哪里。

Oauth-penshift 部署处于其默认配置中：

serviceAccountName: oauth-openshift
namespace: openshift-authentication

$ oc get scc anyuid -o yaml
users:
system:serviceaccount:default:oauth-openshift
system:serviceaccount:openshift-authentication:oauth-openshift
system:serviceaccount:openshift-authentication:default

$ oc get pod -n openshift-authentication
NAME                               READY   STATUS             RESTARTS   AGE
oauth-openshift-59f498986d-lmxdv   0/1     CrashLoopBackOff   158        13h
oauth-openshift-d4968bd74-ll7mn    1/1     Running            0          23d

$ oc logs oauth-openshift-59f498986d-lmxdv -n openshift-authentication
Copying system trust bundle
cp: cannot remove '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem': Permission denied

$ oc get pod oauth-openshift-59f498986d-lmxdv -n openshift-authentication -o=yaml|grep   serviceAccount
serviceAccount: oauth-openshift
serviceAccountName: oauth-openshift

$ oc get pod oauth-openshift-59f498986d-lmxdv -n openshift-authentication -o=yaml|grep scc
openshift.io/scc: nginx-ingress-scc

认证运算符：

$ oc get pod -n openshift-authentication-operator
NAME                                       READY   STATUS    RESTARTS   AGE
authentication-operator-5498b9ddcb-rs9v8   1/1     Running   0          33d

$ oc get pod authentication-operator-5498b9ddcb-rs9v8 -n openshift-authentication-operator -o=yaml|grep scc
openshift.io/scc: anyuid

The managementState is set to Managed

标签： openshift