The service-ca cluster operator stuck in progressing state and monitoring operator is degraded due to SCC modifications.

Solution Verified - Updated -


  • Cluster operators: service-ca remains True in progressing state and monitoring operator is degraded.
# oc get co
NAME                                       VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE
monitoring                                 4.7.0     False       False         True       26h
service-ca                                 4.7.0     True        True          False      26h
  • No replicas available for service-ca, as relayed by the service-ca operator.
Progressing: service-ca does not have available replicas
  • The service-ca pod is stuck in pending state with the following error message:
$ oc get pod -n openshift-service-ca
NAME                             READY  STATUS   RESTARTS  AGE
pod/service-ca-XXX  0/1    Pending  0         1d
message: 'container has runAsNonRoot and image will run as root (pod: "service-ca-XXX_openshift-service-ca",
          container: service-ca-controller)'
        reason: CreateContainerConfigError
  • The monitoring cluster operator is degraded due to the below error message. The unavailable service-ca pod causes the issue with trusting of internal service-serving certificates, such as shown below.
message: 'Failed to rollout the stack. Error: running task Updating Telemeter
      client failed: reconciling Telemeter client Prometheus Rule failed: updating
      PrometheusRule object failed: Internal error occurred: failed calling webhook
      "": Post "https://prometheus-operator.openshift-monitoring.svc:8080/admission-prometheusrules/validate?timeout=5s":
      x509: certificate signed by unknown authority'
    reason: UpdatingTelemeterclientFailed


  • Red Hat OpenShift Container Platform
    • 4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content