Handle FailedCreate events associated with scan jobs
danielpacak opened this issue · comments
Daniel Pacak commented
What steps did you take and what happened:
Deploy Starboard Operator in an environment (e.g. OCP) where scan pod cannot be created for some reason and its reported as event with FailedCreate reason.
kubectl get event -n starboard-system
LAST SEEN TYPE REASON OBJECT MESSAGE
3m25s Warning FailedCreate job/scan-cisbenchmark-6bcf4ddc9c Error creating: pods "scan-cisbenchmark-6bcf4ddc9c-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted: .spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used, spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[3]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[4]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.containers[0].securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1000630000, 1000639999], spec.containers[0].securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
What did you expect to happen:
- The error message propagated to the Starboard Operator log.
- TBD how we should handle a scan job? Delete and retry or other strategy?
Environment:
- Starboard version (use
starboard version
): v0.13.2 - Kubernetes version (use
kubectl version
): any - OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): any