Problem Description

Kubernetes has been deprecating API(s), which will be removed and are no longer available in 1.22. Operators projects using these APIs versions will not work on Kubernetes 1.22 or any cluster vendor using this Kubernetes version(1.22), such as OpenShift 4.9+. Following the APIs that are most likely your projects to be affected by:

• apiextensions.k8s.io/v1beta1: (Used for CRDs and available since v1.16)
• rbac.authorization.k8s.io/v1beta1: (Used for RBAC/rules and available since v1.8)
• admissionregistration.k8s.io/v1beta1 (Used for Webhooks and available since v1.16)

Therefore, looks like this project distributes solutions via the Red Hat Connect with the package name as sysdig-certified and does not contain any version compatible with k8s 1.22/OCP 4.9. Following some findings by checking the distributions published:

• sysdig-operator.v1.8.3: this distribution is using APIs which were deprecated and removed in v1.22. More info: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-22. Migrate the API(s) for CRD: (["sysdigagents.sysdig.com"])

NOTE: The above findings are only about the manifests shipped inside of the distribution. It is not checking the codebase.

How to solve

It would be very nice to see new distributions of this project that are no longer using these APIs and so they can work on Kubernetes 1.22 and newer and published in the Red Hat Connect collection. OpenShift 4.9, for example, will not ship operators anymore that do still use v1beta1 extension APIs.

Due to the number of options available to build Operators, it is hard to provide direct guidance on updating your operator to support Kubernetes 1.22. Recent versions of the OperatorSDK greater than 1.0.0 and Kubebuilder greater than 3.0.0 scaffold your project with the latest versions of these APIs (all that is generated by tools only). See the guides to upgrade your projects with OperatorSDK Golang, Ansible, Helm or the Kubebuilder one. For APIs other than the ones mentioned above, you will have to check your code for usage of removed API versions and upgrade to newer APIs. The details of this depend on your codebase.

If this projects only need to migrate the API for CRDs and it was built with OperatorSDK versions lower than 1.0.0 then, you maybe able to solve it with an OperatorSDK version >= v0.18.x < 1.0.0:

$ operator-sdk generate crds --crd-version=v1
INFO[0000] Running CRD generator.
INFO[0000] CRD generation complete.

Alternatively, you can try to upgrade your manifests with controller-gen (version >= v0.4.1) :

If this project does not use Webhooks:

$ controller-gen crd:trivialVersions=true,preserveUnknownFields=false rbac:roleName=manager-role paths="./..."

If this project is using Webhooks:

1. Add the markers sideEffects and admissionReviewVersions to your webhook (Example with sideEffects=None and admissionReviewVersions={v1,v1beta1}: memcached-operator/api/v1alpha1/memcached_webhook.go):

2. Run the command:

$ controller-gen crd:trivialVersions=true,preserveUnknownFields=false rbac:roleName=manager-role webhook paths="./..."

For further info and tips see the blog.

Thank you for your attention.

On OpenShift the SysDig agent needs additional Security Context Constraints enabled. Namely that it needs to have privileged SCC add. Likely need to add this step to the operator.

oc adm policy add-scc-to-user privileged -n <namespace> -z <service account>

Hi

Having issues when enabling auditLog
Running sysdig AgentOperator 1.8.3 installed through OLM

➜ oc version
Client Version: openshift-clients-4.3.0-201910250623-88-g6a937dfe
Server Version: 4.4.3
Kubernetes Version: v1.17.1

You can find my yaml bellow:

apiVersion: sysdig.com/v1
kind: SysdigAgent
metadata:
  name: sysdigagent
  namespace: sysdig
spec:
  auditLog:
    dynamicBackend:
      enabled: true
    enabled: true
  daemonset:
    annotations:
      productID: SysdigSecureDevopsPlatform
      productName: Sysdig Secure DevOps Platform
      productVersion: 1.8.3
  ebpf:
    enabled: false
  scc:
    create: true
  sysdig:
    accessKey: super-secret-accessKey

Operator log output

I0731 12:30:41.363001       1 request.go:621] Throttling request took 1.042689163s, request: GET:https://172.30.0.1:443/apis/config.openshift.io/v1?timeout=32s
{"level":"error","ts":1596198647.7328732,"logger":"helm.controller","msg":"Release failed","namespace":"sysdig","name":"sysdig-agent","apiVersion":"sysdig.com/v1","kind":"SysdigAgent","release":"sysdig-agent","error":"failed to update release: failed to create resource: AuditSink.auditregistration.k8s.io \"sysdig-agent\" is invalid: spec.webhook.clientConfig.service.path: Invalid value: \"/k8s_audit\": segment[0]: a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\tpkg/mod/github.com/go-logr/[email protected]/zapr.go:128\ngithub.com/operator-framework/operator-sdk/pkg/helm/controller.HelmOperatorReconciler.Reconcile\n\tsrc/github.com/operator-framework/operator-sdk/pkg/helm/controller/reconcile.go:247\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tpkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:256\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tpkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\tpkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\tpkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\tpkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\tpkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.Until\n\tpkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:90"}

{"level":"error","ts":1596198647.7984922,"logger":"controller-runtime.controller","msg":"Reconciler error","controller":"sysdigagent-controller","request":"sysdig/sysdig-agent","error":"failed to update release: failed to create resource: AuditSink.auditregistration.k8s.io \"sysdig-agent\" is invalid: spec.webhook.clientConfig.service.path: Invalid value: \"/k8s_audit\": segment[0]: a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\tpkg/mod/github.com/go-logr/[email protected]/zapr.go:128\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tpkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:258\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tpkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\tpkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\tpkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\tpkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\tpkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.Until\n\tpkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:90"}

The latest version on redhat openshift catlog is 1.12.42, but the master branch version has 1.12.40
https://github.com/sysdiglabs/sysdig-operator/blob/master/Makefile#L6
Did you miss bumping the version in the previous merge? Or is there some other repo from where the source comes from?

Can we give access only to required apiGroups, resources and verbs instead of * ?

$oc get clusterroles sysdig-certified.v1.12.42-7db847857b -o=jsonpath='{.rules[0]}' 
{"apiGroups":["*"],"resources":["*"],"verbs":["*"]}

Hi,

I wanted to play around with this a bit, and ran into the fact that this repo contains much newer code than what is available on helm.sh and operatorhub.io. Any chance those repos might get a push of a newer version of this operator?

Hello. When navigating to Openshift>Operators and then selecting the "SysDig Operator" to install. The installation seems to do just fine. But i notice when I navigate to the operator and SysDig Agent attached. It is showing "Chart value "image.Override" overriden by "watches.yaml".

How can this be resolved? I attempted a manual install to the cluster but that also did not work as it complained about an "unsupported OS". The route I would like to take here is simply selecting the Operator within OpenShift and having the SysDig Agent spin up correctly. Attached is a screenshot.

Potential steps to mitigation..

Locate the watches.yaml file: Identify the location of the watches.yaml file in your project or deployment. This file is typically used to define watches or triggers for the operator to perform certain actions based on specific events.

Check the watches.yaml file: Open the watches.yaml file and review its contents. Look for any entries related to the "image.overrideValue" or the chart that you are working with.

Adjust the watches.yaml configuration: Modify the watches.yaml file to ensure that it aligns with your desired configuration. If you want to use a specific value for "image.overrideValue" defined within your chart, ensure that the watches.yaml file does not override or conflict with it.

Update the operator: Apply the changes you made to the watches.yaml file to the operator or the deployment that is using it. Depending on the context, you may need to redeploy or restart the operator to apply the updated configuration.