Bug 1448816

Summary: Should add 'projected' in scc/restricted volume policy by default
Product: OpenShift Container Platform Reporter: Zhang Cheng <chezhang>
Component: NodeAssignee: Jeff Peeler <jpeeler>
Status: CLOSED ERRATA QA Contact: Zhang Cheng <chezhang>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.6.0CC: aos-bugs, chuyu, decarr, dma, eparis, jokerman, mmccomas, pmorie, wmeng, xtian
Target Milestone: ---   
Target Release: 3.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Project volumes were not included in the security context contraints. Consequence: Pods could not be used with projected volumes. Fix: Add projected volumes to the correct SCCs. Result: Projected volumes may be used as expected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-28 21:54:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zhang Cheng 2017-05-08 09:26:29 UTC 
Description of problem: cannot create a pod with projected volume plugin after 'oc login', pod can be created successful after add 'projected' in scc/restricted volume policy.


Version-Release number of selected component (if applicable):
oc v3.6.67
kubernetes v1.6.1+5115d708d7
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://host-8-174-4.host.centralci.eng.rdu2.redhat.com:8443
openshift v3.6.67
kubernetes v1.6.1+5115d708d


How reproducible:
Always


Steps to Reproduce:
1. Login in by `oc login --server`, and create a new project

2. Create a secret and a configmap with below yaml:
$ cat secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: test-secret
data:
  data-1: dmFsdWUtMQ0K
  data-2: dmFsdWUtMg0KDQo=

$ cat configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: special-config
data:
  special.how: very
  special.type: charm

3. Try to create a pod with all-in-one volume
# cat allinone-normal-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: allinone-normal
  labels:
    region: one
spec:
  containers:
  - name: allinone-normal
    image: redis
    resources:
      limits:
        cpu: "500m"
        memory: "256Mi"
    volumeMounts:
    - name: all-in-one
      mountPath: "/all-in-one"
      readOnly: true
  volumes:
  - name: all-in-one
    projected:
      sources:
      - secret:
          name: test-secret
          items:
            - key: data-1
              path: mysecret/my-username
            - key: data-2
              path: mysecret/my-passwd
      - downwardAPI:
          items:
            - path: mydapi/labels
              fieldRef:
                fieldPath: metadata.labels
            - path: mydapi/name
              fieldRef:
                fieldPath: metadata.name
            - path: mydapi/cpu_limit
              resourceFieldRef:
                containerName: allinone-normal
                resource: limits.cpu
                divisor: "1m"
      - configMap:
          name: special-config
          items:
            - key: special.how
              path: myconfigmap/shared-config
            - key: special.type
              path: myconfigmap/private-config

Actual results: 
3. Pod was created failed.
$ oc create -f allinone-permission-mode-pod.yaml
Error from server (Forbidden): error when creating "allinone-permission-mode-pod.yaml": pods "allinone-permission-mode" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.volumes[0]: Invalid value: "projected": projected volumes are not allowed to be used]


Expected results: 
3. Pod should be created successful, and project secrets, configmap and downward API into the same volume with normal keys and path


addition info: 
Pod can be created successful after add 'projected' in scc/restricted volume policy. 
# oc get scc | grep "^restricted"
restricted         false     []        MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
Comment 1 DeShuai Ma 2017-05-09 03:00:58 UTC 
Double confirm in online dev-preview-int, same issue.
Change bug to online.
Comment 3 Paul Morie 2017-05-11 02:49:41 UTC 
I cut a patch for this: https://github.com/openshift/origin/pull/14136
Comment 4 Jeff Peeler 2017-05-11 17:44:34 UTC 
Latest here: https://github.com/openshift/origin/pull/14147
Comment 7 Zhang Cheng 2017-07-05 05:39:56 UTC 
Verified and passed on openshift v3.6.133
Comment 12 errata-xmlrpc 2017-11-28 21:54:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188