trident icon indicating copy to clipboard operation
trident copied to clipboard
verified publisher icon NetApp

Trident install on MKE(Mirantis Kubernetis ) is not working

Open eselvam opened this issue 3 years ago • 7 comments

Describe the bug

After install of the trident, while provisioning the volume in pod, we are getting below error in pod events.

tridentorchestrator/trident Failed to install Trident; err: failed to create the Trident DaemonSet; failed to create or patch Trident daemonset; could not patch Trident DaemonSet; daemonsets.apps "trident-csi" is forbidden: non-admin user "trident:trident-operator" [service account "trident:trident-csi"]. The configured privileged attributes access for non-admin users ("[]")("[]") and for service accounts ("[]")("[]") lack required permissions to use attributes [hostbindmounts hostipc hostnetwork hostpid kernelcapabilities privileged] for resource trident-csi

Environment MKE 3.4.x

  • Trident version: 22.01.1
  • Trident installation flags used Operator
  • Container runtime 20.10.7
  • Kubernetes version: v1.21.3-mirantis-1
  • Kubernetes orchestrator: MKE
  • Kubernetes enabled feature gates: NA
  • OS: [e.g. RHEL 7.6, Ubuntu 16.04]: Rhel 8
  • NetApp backend types: [ONTAP
  • Other:

To Reproduce Steps to reproduce the behavior: follow the installation procedure in the trident document. while provisioning the nginx pod, you will get the above error

Expected behavior pod should mount and start the pod

Additional context Add any other context about the problem here.

eselvam avatar Aug 03 '22 13:08 eselvam

@eselvam, the error that is listed appears to be from a failed Trident installation and not the Pod itself. It appears that the user used to install Trident did not have the level of permissions needed to successfully install Trident. Please contact NetApp support if you need additional assistance in resolving this issue.

gnarl avatar Aug 03 '22 15:08 gnarl

Thanks. I installed using admin account in MKE. So, we can ignore that part. It seems the service account does not have privileges even it has from the kubectl get podsecuritypolicy and the trident-main as securitycontext as Sys_admin. It should work but not in my case.

I am doing the clean install again to see if it helps then I will post the update. Thanks.

eselvam avatar Aug 03 '22 15:08 eselvam

There is a KB article for this: https://kb.netapp.com/Advice_and_Troubleshooting/Cloud_Services/Astra_Trident/Trident_install_failing_due_to_clusterrolebinding_not_allowing

rohit-arora-dev avatar Aug 03 '22 15:08 rohit-arora-dev

multiple issues with MKE(mirantis kubernetes)

  1. we need to provide those permission from MKE gui as admin under orchestration
  2. we need to disable trident pods scheduled on master and registry nodes by removing automatic toleration for the deployment in same admin page.

Thanks.

eselvam avatar Aug 06 '22 05:08 eselvam

The document we have with Netapp works for plain Kubernetes install not vendor based. If you come up with document for each vendor it will save time for the customers. Each Vendor kubernetes different, it won't work with standard installation instruction. Thanks.

eselvam avatar Aug 06 '22 05:08 eselvam

I installed Trident with tridentctl and didn't have any issues.

scaleoutsean avatar Oct 09 '22 05:10 scaleoutsean

if you install trident with physical host or vm with UPI method of openshift, then you will face this issue. The scc does not have adequate privileges and it is very clear in logs as well.  If you use any other method, you won't see this issue. and more over, it is an operator based install.

On Sunday, October 9, 2022 at 11:21:48 AM GMT+5:30, scaeloutSean ***@***.***> wrote:

I installed Trident with tridentctl and didn't have any issues.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

eselvam avatar Oct 09 '22 09:10 eselvam