Bug 1372659

Summary: [infrastructure_public_178]Sysctls annotations should be immutable
Product: OpenShift Container Platform Reporter: DeShuai Ma <dma>
Component: NodeAssignee: Stefan Schimanski <sttts>
Status: CLOSED NOTABUG QA Contact: DeShuai Ma <dma>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.3.1CC: agoldste, aos-bugs, jokerman, mmccomas, wmeng
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-27 16:29:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description DeShuai Ma 2016-09-02 09:57:41 UTC 
Description of problem:
After create pod with sysctls value, then edit 'security.alpha.kubernetes.io/sysctls', the value can be changed but can't take effect, this annotations should be immutable.

Version-Release number of selected component (if applicable):
fork_ami_openshift3_clusterinfra_public_178_299

How reproducible:
Always

Steps to Reproduce:
1.Create a pod with safe sysctls
oc create -f https://raw.githubusercontent.com/mdshuai/testfile-openshift/master/sysctls/pod-sysctl-safe.yaml

2.When the pod is running check the safe value works
[root@dhcp-128-7 dma]# oc get pod 
NAME        READY     STATUS    RESTARTS   AGE
hello-pod   1/1       Running   0          32s
[root@dhcp-128-7 dma]# oc exec hello-pod -- cat /proc/sys/kernel/shm_rmid_forced
1

3.Update 'security.alpha.kubernetes.io/sysctls: kernel.shm_rmid_forced=0'
[root@dhcp-128-7 dma]# oc patch pod hello-pod -p '{"metadata":{"annotations":{"security.alpha.kubernetes.io/sysctls":"kernel.shm_rmid_forced=0"}}}'
"hello-pod" patched
[root@dhcp-128-7 dma]# oc get pod hello-pod -o json|grep shm_rmid_forced
            "security.alpha.kubernetes.io/sysctls": "kernel.shm_rmid_forced=0"

4.Check the sysctls value again in container
[root@dhcp-128-7 dma]# oc exec hello-pod -- cat /proc/sys/kernel/shm_rmid_forced
1

Actual results:
3.Update sysctls value successfully
4.The value is still same with step2.

Expected results:
3.When update should tip sysctls is immutable

Additional info:
Comment 1 Stefan Schimanski 2016-09-05 09:25:10 UTC 
Good point. Do we have that for other alpha features like seccomp or AppArmor?
Comment 2 Weihua Meng 2016-09-05 09:36:48 UTC 
The seccomp annotations can be edited now, which should also be immutable.
Comment 3 Stefan Schimanski 2016-09-08 11:28:42 UTC 
Here is a corresponding upstream issue where (among other things) mutable annotations are discussed: https://github.com/kubernetes/kubernetes/issues/30819. This cannot be solved for sysctls alone.
Comment 4 Andy Goldstein 2016-10-27 16:29:46 UTC 
This is working as designed. The annotations are evaluated when the pod is received by the system. Changes to them do not take effect.