Skip to main content

Kommander CLI "migrate" command fails if the Gatekeeper wasn't installed on the target cluster

Andrey Dyatlov
  • Updated

Problem

kommander migrate command fails with the following error:

✓ Ensuring Kommander App Management is deployed
 ✓ Ensuring Konvoy Config is migrated
 ✓ Ensuring Custom Certificate is deployed
custom certificate is not in use, skipping custom certificate migration step
⢎⡠ Ensuring Traefik ingress controller is migrated I0404 12:45:02.076100 2911116 request.go:665] Waited for 1.052845273s due to client-side throttling, not priority and f
airness, request: GET:https://10.95.3.5:6443/apis/admissionregistration.k8s.io/v1?timeout=32s
 ✓ Ensuring Traefik ingress controller is migrated
traefik appdeploymnet ensured
Waiting for Traefik HelmRelease to become ready with timeout 5m0s
traefik forwarding rules are enabled
endpoints synchronization controller Helm chart is installed
Waiting for ses-controller  HelmRelease to become ready with timeout 5m0s
Primary LB address is 10.95.3.19, secondary LB address is poc3.kaas.lu
Retrieving certificate kommander/kommander-traefik
Primary LB address has been found in certificate's SAN names
Secondary LB address has been found in certificate's SAN names
10.95.3.19 LB address has been found in primary LB's certificate's SAN names
poc3.kaas.lu LB address has been found in secondary LB's certificate's SAN names
10.95.3.19 LB address has been found in primary LB's certificate's SAN names
poc3.kaas.lu LB address has been found in secondary LB's certificate's SAN names
 ✗ Ensuring Gatekeeper is migrated
Error: failed to ensure "Gatekeeper is migrated": unable to apply migration patches: could not ensure resources defined in manifests/gatekeeper appdeployment: callback re
turned an error: failed to patch resource gatekeeper-admin (policy/v1beta1, Kind=PodSecurityPolicy): PodSecurityPolicy.extensions "gatekeeper-admin" is invalid: [spec.run
AsUser.rule: Unsupported value: "": supported values: "MustRunAs", "MustRunAsNonRoot", "RunAsAny", spec.seLinux.rule: Unsupported value: "": supported values: "MustRunAs"
, "RunAsAny", spec.supplementalGroups.rule: Unsupported value: "": supported values: "MayRunAs", "MustRunAs", "RunAsAny", spec.fsGroup.rule: Unsupported value: "": suppor
ted values: "MayRunAs", "MustRunAs", "RunAsAny"]

Solution

Make sure that you installed Gatekeeper to v1.8.X before performing the migration.

If you are in the middle of the migration, you can try to

  1. Enable the Gatekeeper kubeaddon in cluster.yaml file.
  2. Run konvoy deploy addons command.
  3. Repeat the kommander migrate command.