Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
Description
The admission controller pod which is created inside the scheduler pod uses the wrong service account.
The admission controller pod is launched with default service account. This causes the admission controller pod to be in pending state because of insufficient privileges.
Error message indicating pod in pending state:
NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/yunikorn-admission-controller 0/1 0 0 8m14s deployment.apps/yunikorn-scheduler 1/1 1 1 8m20sNAME DESIRED CURRENT READY AGE replicaset.apps/yunikorn-admission-controller-854f64bcbf 1 0 0 8m14s replicaset.apps/yunikorn-scheduler-585fcfbb46 1 1 1 8m20s
[root@vm5 vbm]# kubectl describe replicaset.apps/yunikorn-admission-controller-854f64bcbf -n yunikorn
Name: yunikorn-admission-controller-854f64bcbf
Namespace: yunikorn
Selector: app=yunikorn,pod-template-hash=854f64bcbf
Labels: app=yunikorn
pod-template-hash=854f64bcbf
Annotations: deployment.kubernetes.io/desired-replicas: 1
deployment.kubernetes.io/max-replicas: 2
deployment.kubernetes.io/revision: 1
Controlled By: Deployment/yunikorn-admission-controller
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreate 19s (x13 over 40s) replicaset-controller Error creating: pods "yunikorn-admission-controller-854f64bcbf-" is forbidden: unable to validate against any pod security policy: [spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[0].hostPort: Invalid value: 8443: Host port 8443 is not allowed to be used. Allowed ports: []]