trident icon indicating copy to clipboard operation
trident copied to clipboard
verified publisher icon NetApp

Trident 21.01.2 upgrade Error ( upgrade from 20.07.1 to 21.x.x)

Open arunbpt7 opened this issue 4 years ago • 7 comments

Hello All, I am trying to upgrade Trident 21.07.2 on Kubernetes 1.17.4. But The operator pod ( trident-operator-xxxx-xxxx )is failing due to below errorn and unable to proceeds with futher steps

"Error: Container has runAsRoot and image will run as root". I added securityContext "runAsUser" in deploy.yaml as a trail and run and that completed succefully with the deployment of operator , torc , CSI controller and CSI daemon set.

let me know the fix for these errors.

Is there any potential issues that would occure when operator runAsUser ie, PV operation, Trident functionality etc?

arunbpt7 avatar Apr 25 '21 17:04 arunbpt7

Hello, @arunbpt7. The trident-operator and trident-csi deployments do not require elevated privileges, nor do they request that. However, the trident-csi daemonset does require root privileges, since it must be able to discover and attach storage resources to the cluster nodes. Even if Trident installs without elevated privileges on the daemonset, I suspect it would fail to attach PVs to pods.

clintonk avatar Apr 25 '21 19:04 clintonk

@arunbpt7 do you have any updates on this? As Clinton mentioned, runAsRoot is a requirement for the trident-csi daemonset that Trident creates. The deploy.yaml file is used to spin up the Trident operator, which in turn will install Trident (create the trident-csi deployment, trident-csi daemonset)

balaramesh avatar May 03 '21 19:05 balaramesh

@balaramesh , Yes trying to upgrade from 20.07.1 to 21.07.2 however the operator fails with "Error: Container has runAsRoot and image will run as root".

arunbpt7 avatar Oct 22 '21 02:10 arunbpt7

As mentioned above, Trident's daemonset must run as root. This is a requirement for Trident to be able to attach volumes and handle OS-level operations such as volume expansions. You will need to permit Trident's daemonset pods to run as root.

balaramesh avatar Oct 22 '21 12:10 balaramesh

@balaramesh , that make sence.The question is why trident operator pod failing with " Container has runAsNonRoot and image will run as root" with use of standard operator manifest

arunbpt7 avatar Oct 22 '21 13:10 arunbpt7

@arunbpt7 do you mean runAsNonRoot or runAsRoot? I am assuming it is runAsNonRoot. This looks to be due to a SecurityContext that is being applied in your Kubernetes environment. Perhaps you are applying some restrictions in the namespace Trident is being deployed in? I would recommend opening a support case with NetApp so we can take a look at the logs and figure out what is going on here.

From what I can gather, this looks to be caused by a security config in your Kubernetes environment that is preventing Trident from creating root pods

balaramesh avatar Oct 22 '21 13:10 balaramesh

I already have a support with netapp. Yes, I knew its due to the securityContext however never have any issues with existing version 20.07.X. we are in the path of upgrade process and getting stuck over here. Does the new version of operator pod intended to run as root?

arunbpt7 avatar Oct 22 '21 13:10 arunbpt7