Bug 1318944

Summary: Should remove EMPTYDIR related scc context in online
Product: OpenShift Online Reporter: Chao Yang <chaoyang>
Component: PodAssignee: Devan Goodwin <dgoodwin>
Status: CLOSED CURRENTRELEASE QA Contact: DeShuai Ma <dma>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.xCC: abhgupta, aos-bugs, jokerman, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 3.2.0.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-23 15:10:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Chao Yang 2016-03-18 08:42:33 UTC
Description of problem:
According to https://github.com/openshift/openshift-docs/pull/1760 , should remove emptydir related scc in scc/restricted

Version-Release number of selected component (if applicable):
dev-preview-int

How reproducible:
Always

Steps to Reproduce:
1.root@dev-preview-int-master-d0106 ~]# oc get scc restricted
NAME         PRIV      CAPS      HOSTDIR   EMPTYDIR   SELINUX     RUNASUSER        FSGROUP    SUPGROUP   PRIORITY
restricted   false     []        false     true       MustRunAs   MustRunAsRange   RunAsAny   RunAsAny   <none>
[root@dev-preview-int-master-d0106 ~]# oc get scc restricted -o json
{
    "kind": "SecurityContextConstraints",
    "apiVersion": "v1",
    "metadata": {
        "name": "restricted",
        "selfLink": "/api/v1/securitycontextconstraints/restricted",
        "uid": "a8e0b195-e4b7-11e5-a28d-0aa949b0be09",
        "resourceVersion": "78",
        "creationTimestamp": "2016-03-07T22:55:16Z",
        "annotations": {
            "kubernetes.io/description": "restricted denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace.  This is the most restrictive SCC."
        }
    },
    "priority": null,
    "allowPrivilegedContainer": false,
    "defaultAddCapabilities": null,
    "requiredDropCapabilities": [
        "KILL",
        "MKNOD",
        "SYS_CHROOT",
        "SETUID",
        "SETGID"
    ],
    "allowedCapabilities": null,
    "allowHostDirVolumePlugin": false,
    "allowEmptyDirVolumePlugin": true,
    "allowHostNetwork": false,
    "allowHostPorts": false,
    "allowHostPID": false,
    "allowHostIPC": false,
    "seLinuxContext": {
        "type": "MustRunAs"
    },
    "runAsUser": {
        "type": "MustRunAsRange"
    },
    "supplementalGroups": {
        "type": "RunAsAny"
    },
    "fsGroup": {
        "type": "RunAsAny"
    },
    "groups": [
        "system:authenticated"
    ]
}


Actual results:
"allowEmptyDirVolumePlugin": true exist in scc/restricted

Expected results:
"allowEmptyDirVolumePlugin": true should be removed from scc/restricted

Additional info:

Comment 1 Devan Goodwin 2016-03-18 13:23:56 UTC
This feature is already removed in origin as of 355776169d2184eadbcbb443342f4668e83e13c2 which was merged on March 5, and did not make it to any released version of origin or OSE.

Could anyone confirm the version of code deployed in the dev-preview-int environment?

Next environment refresh it should disappear from CLI output, it might remain as an extraneous field in etcd but nothing will be enforcing or using it.

Comment 2 Abhishek Gupta 2016-03-24 18:45:00 UTC
The INT rebuild is currently ongoing and, once ready, should have this addressed.

Comment 3 Abhishek Gupta 2016-03-29 00:25:29 UTC
The INT rebuild is complete and this should now be fixed in INT.

Comment 4 Chao Yang 2016-03-29 02:06:54 UTC
This is fixed on INT env
oc v3.2.0.6
kubernetes v1.2.0-36-g4a3f9c5
Docker version 1.9.1, build 78ee77d/1.9.1
kernel 3.10.0-327.10.1.el7.x86_64

[root@dev-preview-int-master-21eb2 ~]#  oc get scc restricted
NAME         PRIV      CAPS      HOSTDIR   SELINUX     RUNASUSER        FSGROUP     SUPGROUP   PRIORITY
restricted   false     []        false     MustRunAs   MustRunAsRange   MustRunAs   RunAsAny   <none>