The service-ca cluster operator stuck in progressing state and monitoring operator is degraded due to SCC modifications.
Issue
- Cluster operators: service-ca remains
True
in progressing state and monitoring operator is degraded.
# oc get co
NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE
monitoring 4.7.0 False False True 26h
service-ca 4.7.0 True True False 26h
- No replicas available for service-ca, as relayed by the service-ca operator.
Progressing: service-ca does not have available replicas
- The service-ca pod is stuck in
pending
state with the following error message:
$ oc get pod -n openshift-service-ca
NAME READY STATUS RESTARTS AGE
pod/service-ca-XXX 0/1 Pending 0 1d
=========================================================================================
message: 'container has runAsNonRoot and image will run as root (pod: "service-ca-XXX_openshift-service-ca",
container: service-ca-controller)'
reason: CreateContainerConfigError
- The monitoring cluster operator is degraded due to the below error message. The unavailable service-ca pod causes the issue with trusting of internal service-serving certificates, such as shown below.
message: 'Failed to rollout the stack. Error: running task Updating Telemeter
client failed: reconciling Telemeter client Prometheus Rule failed: updating
PrometheusRule object failed: Internal error occurred: failed calling webhook
"prometheusrules.openshift.io": Post "https://prometheus-operator.openshift-monitoring.svc:8080/admission-prometheusrules/validate?timeout=5s":
x509: certificate signed by unknown authority'
reason: UpdatingTelemeterclientFailed
Environment
- Red Hat OpenShift Container Platform
- 4.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.