-
Notifications
You must be signed in to change notification settings - Fork 219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The Trident operator fails to install via Helm on Rancher #839
Comments
In Rancher, it is not enough to have `patch` permissions for a namespace in order to set PSA labels. It is also required to have the `updatepsa` permission on the `projects` resource, as outlined [here](rancher/rancher#41191). This rule allows the Trident operator to set the PSA label `pod-security.kubernetes.io/enforce: privileged` on its installation namespace in Rancher. Closes NetApp#839
We're running into the same issue after upgrading from Rancher 2.6.11 to 2.7.5. I can confirm that your workaround fixes the issue. |
@lindhe: Thanks for bringing this up and creating the corresponding pull request. I can confirm as well, that this solves the issue in my cluster. Does NetApp has a plan to merge this at some point in time? Applying these workarounds in automation is a bit cumbersome and unclean. |
We're still seeing the same issue in Rancher 2.7.9 and Trident 23.10.0. Can we perhaps get an update from Netapp on this issue and the pending PR? |
Describe the bug
When installing the Trident operator from the Helm chart in a Kubernetes cluster managed by Rancher, the operator fails because it is unable to add the PSA label
pod-security.kubernetes.io/enforce: privileged
on its installation namespace. This is because Rancher has a special admission webhook in place for setting PSA labels, which must be granted to the ServiceAccount, on top of all the other RBAC rules it needs.Environment
helm install trident netapp-trident/trident-operator --version 23.04.0 --create-namespace --namespace trident
To Reproduce
Have a Rancher managed RKE2 cluster (but I'm guessing it'll work with any Rancher managed cluster).
helm repo add netapp-trident https://netapp.github.io/trident-helm-chart
helm install trident netapp-trident/trident-operator --version 23.04.0 --create-namespace --namespace trident
Check the status of the installed CRDs, the
trident
TridentOrchestrator object and the pods deployed:Expected behavior
I expect it to deploy as it should and not crash. Here's an example of what it looks like when deploying successfully:
Additional context
This was already reported to Rancher's GitHub page as issue #41191. People (understandably) thought that this was a bug in Rancher, while it's more of a documentation issue on their part (in my opinion).
There's also some information available in the operator's pod logs. I don't have them easily available right now, but it basically amounts to the same message as the one displayed by the TridentOrchestrator object anyway; it fails to patch the
trident
namespace because the Rancher admission webhookrancher.cattle.io.namespaces
denied the request (Unauthorized).Work-around
Inspired by this comment from the issue reported to Rancher's GitHub page, applying the following manifest and then restarting the operator fixes the issue:
The text was updated successfully, but these errors were encountered: