.Review the known issues for IBM Multicloud Manager. Additionally, see IBM Multicloud Manager troubleshooting for troubleshooting topics.
local-cluster in management console search results You are unable to deploy Helm charts that contain images on a managed cluster. To fix this error, you must configure ClusterImagePolicy. Run the following command to configure ClusterImagePolicy:
apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
kind: ClusterImagePolicy
metadata:
annotations:
helm.sh/hook: post-install
helm.sh/hook-weight: "1"
name: ibmcloud-default-cluster-image-policy
spec:
repositories:
- name: <repo_name>
Applications fail to install during deployment when the ClusterImagePolicy is not configured.
Note: Be sure to configure ClusterImagePolicy. View the Cannot create a Helm release on a remote cluster section for information about configuring the policy.
To fix this error, reinstall your application by following the tasks:
Verify the status of your application by running the following command:
helm list --tls
To delete your application, run the following command:
helm delete releaseName --purge
Edit and locate the ClusterImagePolicy to push your images to your application. Run the following command:
kubectl get clusterimagepolicy
Edit the ClusterImagePolicy by running the following command:
kubectl edit clusterimagepolicy <policyname>
Reinstall your application. Run the following command:
helm install chartName
For more details, see the Helm community issue .
If you configure a 3.2.0 managed cluster on an IBM Cloud Private 3.2.1 hub cluster, the hub cluster does not display Helm releases for your managed cluster on the Helm Release page or on the Search page.
To fix the error, complete the following procedure:
Log in to your managed cluster and patch the secret with the following command:
kubectl patch secret multicluster-endpoint-tiller-client-certs -n multicluster-endpoint --type='json' -p='[{"op":"add","path":"/data/ca.crt","value":"'$(kubectl get secret -n kube-system cluster-ca-cert -o jsonpath={.data.tls\\.crt})'"}]'
Restart the search-collector pod. To restart the search-collector pod, delete the pod with the name multicluster-endpoint-search-collector-<pod-name>. Kubernetes restarts the pod.
If any of your managed clusters are OpenShift Container Platform clusters, data for the clusters can be missing within the Grafana dashboard for cluster monitoring.
If a deployable that was deployed to a managed cluster through a subscription is deleted from the source location where it was stored, the deployable is not removed from the managed cluster. For instance, if a Helm release is deleted from the Helm repository, the Helm release is not removed from the managed cluster and continues to work. The deleted deployable remains on the managed cluster until the associated subscription is deleted or updated to replace the deployable.
When you are including resources into the object store, do not include multiple resources in a single object. Object stores are used to store Kubernetes resource YAML files as objects. These files define the Kubernetes resource without wrapping the resource. To include these objects in a channel, each file can define only a single Kubernetes resource.
From the management console Application page, when you view the Resource highlights for an application, the total number of resources for the Resource summary can be different than the number of resources that is shown in the Resources by channel charts.
When the resources are counted for the Resources by channel chart, the number of related resources for the subscriptions that are associated with the application are counted. Resources, such as Helm releases, which can be related to multiple subscriptions are counted separately for each subscription. This count can result in a higher total of resources for the Resources by channel chart.
When you click the Security findings tab from the IBM Cloud Private management console, a timeout error is returned. The Security Advisor legato microservice is not returning the data quickly.
Update your security findings retention policy to resolve this issue. For more information, see the Security findings data retention policy in IBM Cloud Private security findings.
The Remediation field in the detail panel for security findings becomes empty for all of your policies that are associated with your cluster. The Remediation field becomes empty for the following reasons:
If you use Docker Version 18.03 or higher with Ubuntu 16.04 LTS, containers that run as non-root might have permission issues. This issue appears to be due to a problem between the overlay storage driver and the kernel.
The Visual Web Terminal does not load in the Microsoft™ Edge browser. You can use the Chrome or Firefox browsers to use the Visual Web Terminal.
Search returns and lists each cluster with the resource that you search. For resources in the hub cluster, the cluster name is displayed as local-cluster.
When you create a certificate policy without a certificate policy controller for a third-party cluster, you might receive the following violation message:
mapping error from raw object: no matches for kind "CertificatePolicy" in version "policies.ibm.com/v1alpha1"
You must unbind the certificate policy from your third-party cluster. Complete the following steps to unbind each of your certificate policies:
Log in to your {{site.data.keyword.mcm_nptm}} hub cluster.
From the navigation menu, click Automate infrastructure > Clusters.
Create a unique label for each of your clusters with IBM Multicloud Manager services installed. Select the Options icon (
) > Edit Labels.
Add a new label for each of your clusters with IBM Multicloud Manager services installed by selecting the Add icon. For example, create the following label:
cloud = common services
From the navigation menu, click Govern risk > Policies tab to view your policies.
Edit your certificate policy by updating the placement policy. Update the spec.clusterLabels parameter by removing and adding labels. Your placement policy might resemble the following content:
spec:
clusterLabels:
matchExpressions:
- key: cloud
operator: In
values:
- common-services
Your certificate policies are unbound from your third-party clusters.
When you enable Vulnerability Advisor (VA) scanning in the ImagePolicy and ClusterImagePolicy specification, you are unable to create workloads in the associated namespaces. The VA scanning integration with image security enforcement only supports the built-in IBM Multicloud Manager registry. For more information, see Scanning an image registry with the Vulnerability Advisor (VA).