Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Operator installation documentation clarity #2395

Open
2 tasks done
Aetylus opened this issue May 14, 2024 · 0 comments
Open
2 tasks done

Operator installation documentation clarity #2395

Aetylus opened this issue May 14, 2024 · 0 comments
Labels
enhancement

Comments

@Aetylus
Copy link

Aetylus commented May 14, 2024
edited

Is your feature request related to a problem?

I feel like the operator installation docs could be updated to provide a bit more clarity or correction in details. I wasn't sure whether to submit the issue here or on the operator repository (https://github.com/metallb/metallb-operator), but at least based off the documentation note seen here, this seems correct.

Describe the solution you'd like

The CRDs must be created in the operators namespace and not the metallb-system namespace as most of the docs imply. This also contradicts the docs seen on the operator repository here. I realize the operator repository is not necessarily the documentation for usage through OperatorHub but it seems worth mentioning.

Notably you do get a kubernetes error if you try to create, say, the IPAddressPool or L2Advertisement CRDs outside of the operators namespace; however, you don't get the same error if you try to create the MetalLB CRD in another namespace. Doing so results in no controller or speakers being created which, if nothing else, lead to a lot of my confusion trying to troubleshoot the installation.

I'm not sure if this is the common pattern for OperatorHub operators and I'm admittedly not familiar with kubernetes operators past the high level concept, so maybe this is more an issue with me than the documentation, but perhaps the additional documentation can hopefully assist in other people attempting to configure and install MetalLB through the operator.

[Edit] I forgot about this part until I was moving from a test environment to the server, but also the default pod-security annotations don't seem to work. Without any modifications, the daemonset.apps/speaker logs the following event warning when trying to create speaker pods:

  Warning  FailedCreate  44m   daemonset-controller  Error creating: pods "speaker-fsrxx" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "speaker" must not include "NET_RAW" in securityContext.capabilities.add), host namespaces (hostNetwork=true), hostPort (container "speaker" uses hostPorts 7472, 7946)

The way I've found to fix this is to change the labels on the operator namespace to the following:

pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged

I'm unsure if this is correct but it seems to work.

Additional context

No response

I've read and agree with the following

  • I've checked all open and closed issues and my request is not there.
  • I've checked all open and closed pull requests and my request is not there.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Aetylus