Upgrading OpenShift 4.3.8 - 4.3.12 fails with error "it may not be safe to apply this update"

Solution Verified - Updated -

Issue

  • While upgrading OCP 4.3.8 cluster to 4.3.9 received the following error:

    Unable to apply 4.3.9: it may not be safe to apply this update

  • Logs from cluster-version-operator

    USER1 19:34:22.93XX67       1 precondition.go:49] Precondition "ClusterVersionUpgradeable" failed: Cluster operator kube-apiserver cannot be upgraded: DefaultSecurityContextConstraintsUpgradeable: Default SecurityContextConstraints object(s) have mutated [privileged]
USER1 19:34:22.93XX11       1 sync_worker.go:329] unable to synchronize image (waiting 2m52.525702462s): Precondition "ClusterVersionUpgradeable" failed because of "DefaultSecurityContextConstraints_Mutated": Cluster operator kube-apiserver cannot be upgraded: DefaultSecurityContextConstraintsUpgradeable: Default SecurityContextConstraints object(s) have mutated [privileged]

  • Upgrading 4.3.8, 4.3.9, 4.3.10, 4.3.11, or 4.3.12 fails if security context constraints (SCC) are not the default.

Environment

  • Red Hat OpenShift Container Platform (OCP)
    • 4.3.8
    • 4.3.9
    • 4.3.10
    • 4.3.11
    • 4.3.12
  • Upgrading to OCP 4.3.9 or later
  • Default security context constraints (SCC) anyuid, hostaccess, hostmount-anyuid, hostnetwork, nonroot, privileged, or restricted have been modified

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content