Upgrading OpenShift 4.3.8 - 4.3.12 fails with error "it may not be safe to apply this update"

Solution Verified - Updated -

Issue

  • While upgrading OCP 4.3.8 cluster to 4.3.9 received the following error:

    Unable to apply 4.3.9: it may not be safe to apply this update
    
  • Logs from cluster-version-operator

    USER1 19:34:22.93XX67       1 precondition.go:49] Precondition "ClusterVersionUpgradeable" failed: Cluster operator kube-apiserver cannot be upgraded: DefaultSecurityContextConstraintsUpgradeable: Default SecurityContextConstraints object(s) have mutated [privileged]
    USER1 19:34:22.93XX11       1 sync_worker.go:329] unable to synchronize image (waiting 2m52.525702462s): Precondition "ClusterVersionUpgradeable" failed because of "DefaultSecurityContextConstraints_Mutated": Cluster operator kube-apiserver cannot be upgraded: DefaultSecurityContextConstraintsUpgradeable: Default SecurityContextConstraints object(s) have mutated [privileged]
    
  • Upgrading 4.3.8, 4.3.9, 4.3.10, 4.3.11, or 4.3.12 fails if security context constraints (SCC) are not the default.

Environment

  • Red Hat OpenShift Container Platform (OCP)
    • 4.3.8
    • 4.3.9
    • 4.3.10
    • 4.3.11
    • 4.3.12
  • Upgrading to OCP 4.3.9 or later
  • Default security context constraints (SCC) anyuid, hostaccess, hostmount-anyuid, hostnetwork, nonroot, privileged, or restricted have been modified

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In