antctl check cluster doesn't work on OpenShift cluster

[luolanzone]

I was trying 'antctl check cluster' in an OCP 4.16 cluster and found following errors:

$antctl check cluster
[lan-ocp416-antrea-11] Creating Namespace antrea-test-u6k5i for pre installation tests...
[lan-ocp416-antrea-11] Creating Deployment
[lan-ocp416-antrea-11] Waiting for Deployment to become ready
[lan-ocp416-antrea-11] Waiting for Deployment cluster-checker to become ready...
Error: error while waiting for Deployment to become ready: waiting for Deployment cluster-checker to become ready has been interrupted: error checking readiness of Deployment cluster-checker: client rate limiter Wait returned an error: rate: Wait(n=1) would exceed context deadline

And after checking the logs in K8s API server, looks like it's forbidden to create a deployment from antctl:

E0808 03:26:39.446753      15 patch_podspecextractor.go:100] "failed to mutate object for PSA using SCC" err="pods \"pod-for-container-named-cluster-checker-c487c846b\" is forbidden: unable to validate against any security context constraint: [provider \"anyuid\": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, spec.volumes[0]: Invalid value: \"hostPath\": hostPath volumes are not allowed to be used, spec.volumes[1]: Invalid value: \"hostPath\": hostPath volumes are not allowed to be used, provider restricted-v2: .containers[0].capabilities.add: Invalid value: \"SYS_MODULE\": capability may not be added, provider restricted-v2: .containers[0].hostNetwork: Invalid value: true: Host network is not allowed to be used, provider \"restricted\": Forbidden: not usable by user or serviceaccount, provider \"nonroot-v2\": Forbidden: not usable by user or serviceaccount, provider \"nonroot\": Forbidden: not usable by user or serviceaccount, provider \"hostmount-anyuid\": Forbidden: not usable by user or serviceaccount, provider \"machine-api-termination-handler\": Forbidden: not usable by user or serviceaccount, provider \"hostnetwork-v2\": Forbidden: not usable by user or serviceaccount, provider \"hostnetwork\": Forbidden: not usable by user or serviceaccount, provider \"hostaccess\": Forbidden: not usable by user or serviceaccount, provider \"node-exporter\": Forbidden: not usable by user or serviceaccount, provider \"privileged\": Forbidden: not usable by user or serviceaccount]"
E0808 03:26:39.446922      15 patch_podspecextractor.go:101] failed to mutate object for PSA using SCC: pods "pod-for-container-named-cluster-checker-c487c846b" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, provider restricted-v2: .containers[0].capabilities.add: Invalid value: "SYS_MODULE": capability may not be added, provider restricted-v2: .containers[0].hostNetwork: Invalid value: true: Host network is not allowed to be used, provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]