The IBM Operator for Apache Flink not installing due to Security Context Constraint (SCC) issues

Symptoms

The installation of the IBM Operator for Apache Flink instance is unsuccessful, and the instance reports a Failed status.

  • The conditions field under status contains the following error message:

    install failed: deployment flink-kubernetes-operator not ready before timeout: deployment "flink-kubernetes-operator" exceeded its progress deadline
    
  • The pod fails with Init:CreateContainerConfigError error and the status of the initContainer contains the following error message under the message field:

    container has runAsNonRoot and image has non-numeric user (flink),
    cannot verify user is non-root (pod:
    "flink-kubernetes-operator-dbd5764db-2zlsd_default(dca6e122-4296-44f0-b66b-8ede4307493c)",
    container: import-cert)
    

Causes

IBM Operator for Apache Flink has been tested with the default restricted-v2 Security Context Constraint (SCC) provided by the OpenShift Container Platform.

If a user or any other operator applies a custom SCC that removes permissions required by IBM Operator for Apache Flink, then this will cause issues.

Resolving the problem

Apply the custom Security Context Constraint (SCC) provided by IBM Event Automation to enable permissions required by the product.

To do this, edit the event-automation-scc.yaml file to add your namespace and apply it using oc tool as follows:

  1. Edit the event-automation-scc.yaml and add the namespace where your IBM Operator for Apache Flink instance is installed.

  2. Log in to your Red Hat OpenShift Container Platform as a cluster administrator by using the oc CLI (oc login).

  3. Run the following command to apply the SCC:

    oc apply -f <custom_scc_file_path>
    

    For example:

    oc apply -f event-automation-scc.yaml