-
Notifications
You must be signed in to change notification settings - Fork 216
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SURE-7060] during rancher upgrade to 2.7.6 helm operation error with fleet-cleanup-clusterregistrations #1884
Comments
Successfully upgraded to the Rancher 2.7.6 from Rancher 2.7.5 without any error. Also the command:
Also, fleet upgraded from 0.7.0 to 0.7.1 without any error. Please let me know if anything else need to check. |
I have been able to reproduce the issue, but only in the case when the cis-1.6 profile is enabled in the underlying RKE2 Kubernetes cluster. Helm operation pods are continuously failing:
Due to the failure in the fleet-cleanup-clusterregistrations pod related with the
|
Also hitting this issue! Rancher 2.7.7 and RKE2 1.24.x w/CIS Profile 1.6 enabled |
This appears to be a missing PSP for hardened clusters using CIS profile, running <=1.24. On 1.25+ the entire A quick workaround is to just bind the unrestricted PSP to the service account:
Once the rancher charts are fixed, the Role and RoleBinding can be deleted. |
QA TemplateSolutionAdded Security Context to the cleanup job in #1862 TestingInstall rancher 2.7.5 in a hardened cluster rke2 1.24 (see issue for more info on the env) Upgrade to the latest rancher should not give any error in the Additional infoNeeds a new fleet RC |
PR #1862 needs a backport to v0.9 |
QA reportTesting considerations:For hardening, I followed the steps detailed in this guide with few adjustments. Tested scenarios:Scenario 1: Fresh installation hardened rke2 cluster on Rancher performing CIS with no errors.Setup:
Scenario 2: Installation hardened rke2 cluster on Rancher 2.8 performing CIS with no errors, later upgrade to 2.9 and new CIS with no errors.Setup:
|
Rancher Server Setup
Information about the Cluster
User Information
Describe the bug
During rancher upgrade to 2.7.6 from 2.7.5 using the following helm command:
Command ends with:
Release "rancher" has been upgraded. Happy Helming!
Rancher pods restart correctly with the new version but we found helm opration pods in error state:
Checking logs from error pods show:
Reviewing the log show the following job that it does not complete:
Starting delete for "fleet-cleanup-clusterregistrations" Job
This is the output of pod describe, showing that pod is trying to execute as Root.
Reviewing Security context pod configuration does not include user definition:
Reviewing service account permissions for this pod, show that cluster role does not have run as root permission.
Expected Result
We expect upgrade without errors
The text was updated successfully, but these errors were encountered: