postgres-operator
postgres-operator copied to clipboard
Published
20 hours ago •
zalando
zalando
PodSecurityPolicy error from k8s api
Please, answer some short questions which should help us to understand your problem / question better?
- Which image of the operator are you using? registry.opensource.zalan.do/acid/postgres-operator:v1.8.2
- Where do you run it - cloud or metal? Kubernetes or OpenShift? Bare Metal K8s
- Are you running Postgres Operator in production? no
- Type of issue? Error
Hello,
I'm trying to run a cluster deploying the manifes_t complete-postgres-manifest.yaml_ with helm The only custom configuration I made is the OperatorConfiguration in order to use an imagePullSecret:
apiVersion: "acid.zalan.do/v1"\
kind: OperatorConfiguration\
metadata:\
name: postgresql-operator-config\
namespace: {{ .Release.Namespace }}\
configuration:\
kubernetes:\
pod_service_account_name: postgres-pod
pod_service_account_definition: '
{
"apiVersion": "v1",
"kind": "ServiceAccount",
"metadata": {
"name": "postgres-pod"
},
"imagePullSecrets": [
{
"name": "artifactory"
}
]
}'
Reading the logs from spilo pods I get this this error:
2022-08-09 09:49:25,155 INFO: trying to bootstrap from leader 'acid-test-cluster-0'
2022-08-09 09:49:25,156 ERROR: failed to bootstrap from leader 'acid-test-cluster-0'
2022-08-09 09:49:25,156 INFO: Removing data directory: /home/postgres/pgdata/pgroot/data
2022-08-09 09:49:35,024 INFO: Lock owner: acid-test-cluster-0; I am acid-test-cluster-1
2022-08-09 09:49:35,042 ERROR: Permission denied
Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/patroni/dcs/kubernetes.py", line 498, in wrapper
return func(*args, **kwargs)
File "/usr/local/lib/python3.6/dist-packages/patroni/dcs/kubernetes.py", line 1088, in touch_member
ret = self._api.patch_namespaced_pod(self._name, self._namespace, body)
File "/usr/local/lib/python3.6/dist-packages/patroni/dcs/kubernetes.py", line 483, in wrapper
return getattr(self._core_v1_api, func)(*args, **kwargs)
File "/usr/local/lib/python3.6/dist-packages/patroni/dcs/kubernetes.py", line 419, in wrapper
return self._api_client.call_api(method, path, headers, body, **kwargs)
File "/usr/local/lib/python3.6/dist-packages/patroni/dcs/kubernetes.py", line 388, in call_api
return self._handle_server_response(response, _preload_content)
File "/usr/local/lib/python3.6/dist-packages/patroni/dcs/kubernetes.py", line 218, in _handle_server_response
raise k8s_client.rest.ApiException(http_resp=response)
patroni.dcs.kubernetes.K8sClient.rest.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Kubernetes-Pf-Flowschema-Uid': '2c2aebf4-5646-4051-a774-2e24e9620334', 'X-Kubernetes-Pf-Prioritylevel-Uid': '6cf78a01-00f6-4c5c-bda6-9022da91f971', 'Date': 'Tue, 09 Aug 2022 09:50:09 GMT', 'Content-Length': '257'})
HTTP response body: b'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \\"acid-test-cluster-1\\" is forbidden: PodSecurityPolicy: unable to validate pod: []","reason":"Forbidden","details":{"name":"acid-test-cluster-1","kind":"pods"},"code":403}\n'
What pod security policy am I forgetting?
Thanks
