Why is my Portieris cluster image security enforcement installation canceled?
Virtual Private Cloud Classic infrastructure
Portieris image security enforcement add-on does not install. You see a master status similar to the following:
Image security enforcement update cancelled. CAE008: can't enable Portieris image security enforcement because the cluster already has a conflicting image admission controller installed. For more information, see the troubleshooting docs: 'https://ibm.biz/portieris_enable'
Your cluster has a conflicting image admission controller already installed, which prevents the image security enforcement cluster add-on from installing.
When you have more than one image admission controller in your cluster, pods might not run.
Potential conflicting image admission controller sources include:
- The deprecated container image security enforcement Helm chart.
- A previous manual installation of the open source Portieris project.
Identify and remove the conflicting image admission controller.
-
Check for existing image admission controllers.
- Check if you have an existing container image security enforcement deployment in your cluster. If no output is returned, you don't have the deployment.
Example outputoc get deploy cise-ibmcloud-image-enforcement -n ibm-system
NAME READY UP-TO-DATE AVAILABLE AGE cise-ibmcloud-image-enforcement 3/3 3 3 129m
- Check if you have an existing Portieris deployment in your cluster. If no output is returned, you don't have the deployment.
Example outputoc get deployment --all-namespaces -l app=portieries
NAMESPACE NAME READY UP-TO-DATE AVAILABLE AGE portieris portieris 3/3 3 3 8m8s
- Check if you have an existing container image security enforcement deployment in your cluster. If no output is returned, you don't have the deployment.
-
Uninstall the conflicting deployment.
oc delete deployment <deployment> -n <namespace>
-
Confirm that conflicting admission controllers are removed by checking that the cluster no longer has a mutating webhook configuration for an image admission controller.
oc get MutatingWebhookConfiguration image-admission-config
Example output
Error from server (NotFound): mutatingwebhookconfigurations.admissionregistration.k8s.io "image-admission-config" not found
-
Retry the installing the add-on by running the
ibmcloud oc cluster image-security enable
command.