Installation Note 67349: SAS® Viya® 2020 deployments fail with "Error: secret 'sas-consul-client' not found" when the pod security policy "runtime/default" is not allowed
SAS Viya 2020 deployments can fail when pod security policies for "runtime/default" are not allowed. This selection causes many pods to go into a CreateContainerConfigError status during the deployment or not be created at all.
When you encounter this issue, most of the pods in this state show an error similar to the following that indicates that secrets are not found when trying to describe the failing pods:
Warning Failed 39m (x7 over 40m) kubelet Error: secret "sas-consul-client" not found
Cause
This issue happens because SAS Viya 2020 introduced the following annotation into the deployment, which does not allow SAS Viya pods to be created if ‘runtime/default’ is not allowed:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
Verify
You can run the following to describe the pods: kubectl -n namespace describe pod pod-name
You can check the pod security policies by running the following command on your Kubernetes cluster:
kubectl get psp restricted -o custom-columns=NAME:.metadata.name,"SECCOMP":".metadata.annotations.seccomp\.security\.alpha\.kubernetes\.io/allowedProfileNames"
For more information about pod security policies, see Pod Security Policies in the Kubernetes documentation.
Resolution
To resolve the issue, add "runtime/default" to the default pod security policies as a Kubernetes cluster administrator.
Operating System and Release Information
SAS System | SAS Viya | Linux for x64 | 2020.1.1 | | Viya | |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
Type: | Installation Note |
Priority: | medium |
Date Modified: | 2021-02-17 13:41:43 |
Date Created: | 2021-02-01 09:19:36 |