crc icon indicating copy to clipboard operation
crc copied to clipboard

Published 20 hours ago verified publisher icon crc-org

PVs are not being recycled

Open kharyam opened this issue 3 years ago • 4 comments

The PV recycler is failing to recycle the PVs. I observed this on Fedora 36, Versions below:

crc version

CRC version: 2.8.0+217b3bd
OpenShift version: 4.11.1
Podman version: 4.1.1

To Reproduce:

oc new-project postgres
oc new-app postgresql-persistent

# Once postgres is up and running:
oc delete project postgres
oc get pv | grep postgres

The PV will be marked as Failed. An oc describe of the PV will reveal:

Recycle failed: unexpected error creating recycler pod:  pods "recycler-for-pv0017" is forbidden: violates PodSecurity baseline:latest": hostPath volumes (volume "vol")

Originally opened on bugzilla: https://issues.redhat.com/browse/CRC-121

kharyam avatar Sep 07 '22 13:09 kharyam

I have the same problem. Over time volumes accumulate and make my crc instance unusable.

kadel avatar Sep 07 '22 15:09 kadel

It looks like the problem is that the recycler can't run due to new PodSecurity restrictions.

Not sure if this is the correct solution, but setting the PedSecurity enforce mode to privileged level on openshfit-ingra instead of the current baseline resolved the issue for me.

oc login -u kubeadmin ........
oc label  --overwrite ns openshift-infra  pod-security.kubernetes.io/enforce=privileged

kadel avatar Sep 07 '22 16:09 kadel

@kadel Thanks for a workaround, also this looks like issue from openshift side or something specific to CRC?

praveenkumar avatar Sep 08 '22 07:09 praveenkumar

@kadel Thanks for a workaround, also this looks like issue from openshift side or something specific to CRC?

Not sure. I don't what are extra components CRC manages on top of OpenShift. But this looks like a configuration issue with the storage provider. As far as I know openshift doesn't come with a local hostPath dynamic provisioner, so this is probably something that will have to be resolved on the CRC side.

kadel avatar Sep 09 '22 09:09 kadel

@kadel @praveenkumar OK, asked around a bit (I'm not an infra guy, so...) after getting really annoyed with this, and it was explained to me how patching the ns as above is very wrong. Of course, we're just doing this on our own little, never-prod cluster, so whatever for now.

Proper way to handle is to dynamically provision the pv's and then refer to them via StorageClass. I found an article that does that using NFS on the CRC node here (https://tinyurl.com/2jdf7x3l). I haven't had a chance to try it out yet (and there's an alternative YAML at the bottom to try, too, so YMMV), but once I get around to it if they still haven't fixed it yet I'll try it out and submit a more automated solution. Recycle is deprecated and discouraged, so we should get rid of it (https://tinyurl.com/2edf2art).

hippyod avatar Oct 13 '22 22:10 hippyod

This should be fixed now with https://github.com/crc-org/snc/issues/444

anjannath avatar Nov 14 '22 09:11 anjannath