- Cluster operators: service-ca remains
Truein progressing state and monitoring operator is degraded.
# oc get co NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE monitoring 4.7.0 False False True 26h service-ca 4.7.0 True True False 26h
- No replicas available for service-ca, as relayed by the service-ca operator.
Progressing: service-ca does not have available replicas
- The service-ca pod is stuck in
pendingstate with the following error message:
$ oc get pod -n openshift-service-ca NAME READY STATUS RESTARTS AGE pod/service-ca-XXX 0/1 Pending 0 1d ========================================================================================= message: 'container has runAsNonRoot and image will run as root (pod: "service-ca-XXX_openshift-service-ca", container: service-ca-controller)' reason: CreateContainerConfigError
- The monitoring cluster operator is degraded due to the below error message. The unavailable service-ca pod causes the issue with trusting of internal service-serving certificates, such as shown below.
message: 'Failed to rollout the stack. Error: running task Updating Telemeter client failed: reconciling Telemeter client Prometheus Rule failed: updating PrometheusRule object failed: Internal error occurred: failed calling webhook "prometheusrules.openshift.io": Post "https://prometheus-operator.openshift-monitoring.svc:8080/admission-prometheusrules/validate?timeout=5s": x509: certificate signed by unknown authority' reason: UpdatingTelemeterclientFailed
- Red Hat OpenShift Container Platform
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.