Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
Description
The admission controller pod which is created inside the scheduler pod uses the wrong service account.
The admission controller pod is launched with default service account. This causes the admission controller pod to be in pending state because of insufficient privileges.
Error message indicating pod in pending state:
NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/yunikorn-admission-controller 0/1 0 0 8m14s deployment.apps/yunikorn-scheduler 1/1 1 1 8m20sNAME DESIRED CURRENT READY AGE replicaset.apps/yunikorn-admission-controller-854f64bcbf 1 0 0 8m14s replicaset.apps/yunikorn-scheduler-585fcfbb46 1 1 1 8m20s
[root@vm5 vbm]# kubectl describe replicaset.apps/yunikorn-admission-controller-854f64bcbf -n yunikorn Name: yunikorn-admission-controller-854f64bcbf Namespace: yunikorn Selector: app=yunikorn,pod-template-hash=854f64bcbf Labels: app=yunikorn pod-template-hash=854f64bcbf Annotations: deployment.kubernetes.io/desired-replicas: 1 deployment.kubernetes.io/max-replicas: 2 deployment.kubernetes.io/revision: 1 Controlled By: Deployment/yunikorn-admission-controller Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning FailedCreate 19s (x13 over 40s) replicaset-controller Error creating: pods "yunikorn-admission-controller-854f64bcbf-" is forbidden: unable to validate against any pod security policy: [spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[0].hostPort: Invalid value: 8443: Host port 8443 is not allowed to be used. Allowed ports: []]