Why is my Portieris cluster image security enforcement installation canceled?

Virtual Private Cloud Classic infrastructure

Portieris image security enforcement add-on does not install. You see a master status similar to the following:

Image security enforcement update canceled. CAE008: can't enable Portieris image security enforcement because the cluster already has a conflicting image admission controller installed. For more information, see the troubleshooting docs: 'https://ibm.biz/portieris_enable'

Your cluster has a conflicting image admission controller already installed, which prevents the image security enforcement cluster add-on from installing.

When you have more than one image admission controller in your cluster, pods might not run.

Potential conflicting image admission controller sources include:

• The deprecated container image security enforcement Helm chart.
• A previous manual installation of the open source Portieris project.

Identify and remove the conflicting image admission controller.

1. Check for existing image admission controllers.

   • Check if you have an existing container image security enforcement deployment in your cluster. If no output is returned, you don't have the deployment.

     oc get deploy cise-ibmcloud-image-enforcement -n ibm-system
     

     Example output

     NAME                              READY   UP-TO-DATE   AVAILABLE   AGE
     cise-ibmcloud-image-enforcement   3/3     3            3           129m
     

   • Check if you have an existing Portieris deployment in your cluster. If no output is returned, you don't have the deployment.

     oc get deployment --all-namespaces -l app=portieries
     

     Example output

     NAMESPACE     NAME        READY   UP-TO-DATE   AVAILABLE   AGE
     portieris     portieris   3/3     3            3           8m8s
     

2. Uninstall the conflicting deployment.

   oc delete deployment <deployment> -n <namespace>
   

3. Confirm that conflicting admission controllers are removed by checking that the cluster no longer has a mutating webhook configuration for an image admission controller.

   oc get MutatingWebhookConfiguration image-admission-config
   

   Example output

   Error from server (NotFound): mutatingwebhookconfigurations.admissionregistration.k8s.io "image-admission-config" not found
   

4. Retry the installing the add-on by running the ibmcloud oc cluster image-security enable command.