IBM Cloud Docs
Why is my Portieris cluster image security enforcement installation canceled?

Why is my Portieris cluster image security enforcement installation canceled?

Virtual Private Cloud Classic infrastructure

Portieris image security enforcement add-on does not install. You see a master status similar to the following:

Image security enforcement update cancelled. CAE008: can't enable Portieris image security enforcement because the cluster already has a conflicting image admission controller installed. For more information, see the troubleshooting docs: 'https://ibm.biz/portieris_enable'

Your cluster has a conflicting image admission controller already installed, which prevents the image security enforcement cluster add-on from installing.

When you have more than one image admission controller in your cluster, pods might not run.

Potential conflicting image admission controller sources include:

  • The deprecated container image security enforcement Helm chart.
  • A previous manual installation of the open source Portieris project.

Identify and remove the conflicting image admission controller.

  1. Check for existing image admission controllers.

    • Check if you have an existing container image security enforcement deployment in your cluster. If no output is returned, you don't have the deployment.
      oc get deploy cise-ibmcloud-image-enforcement -n ibm-system
      Example output
      NAME                              READY   UP-TO-DATE   AVAILABLE   AGE
cise-ibmcloud-image-enforcement   3/3     3            3           129m
    • Check if you have an existing Portieris deployment in your cluster. If no output is returned, you don't have the deployment.
      oc get deployment --all-namespaces -l app=portieries
      Example output
      NAMESPACE     NAME        READY   UP-TO-DATE   AVAILABLE   AGE
portieris     portieris   3/3     3            3           8m8s

  2. Uninstall the conflicting deployment.

    oc delete deployment <deployment> -n <namespace>

  3. Confirm that conflicting admission controllers are removed by checking that the cluster no longer has a mutating webhook configuration for an image admission controller.

    oc get MutatingWebhookConfiguration image-admission-config

    Example output

    Error from server (NotFound): mutatingwebhookconfigurations.admissionregistration.k8s.io "image-admission-config" not found

  4. Retry the installing the add-on by running the ibmcloud oc cluster image-security enable command.