Bug 1578217

Summary: oc adm diagnostics should support clusterscc option
Product: OpenShift Container Platform Reporter: Kenjiro Nakayama <knakayam>
Component: apiserver-authAssignee: Simo Sorce <ssorce>
Status: CLOSED UPSTREAM QA Contact: Chuan Yu <chuyu>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.6.0CC: aos-bugs, jokerman, knakayam, mmccomas, ssorce
Target Milestone: ---   
Target Release: 3.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-16 13:12:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kenjiro Nakayama 2018-05-15 04:06:21 UTC 
Description of problem:

- When some of default SCCs values are updated, these values are reconciled during the update. It is stated on the docs, but difficult to notice. And in fact, one of customers experienced critical issue during the update.
- We would like to get a warning message and know if there are is a potentially dangerous sccs in advance.

Version-Release number of selected component (if applicable):

- OCP 3.6 (customer experienced the critical issue)
- OCP 3.9 (latest version but still no preventive measures)

How reproducible: 100%

Steps to Reproduce:
1. Set nfs to volumes in restricted scc

  # oc edit scc restricted
  ```
  volumes:
  ...
  - nfs
  ```

  // nfs was added to restricted
  # oc get scc restricted
  NAME         ...   VOLUMES
  restricted   ...   [configMap downwardAPI emptyDir nfs persistentVolumeClaim projected secret]

2. Run oc adm diagnostics

  # oc adm diagnostics

Actual results:
- No warning regarding the SCCs problem

Expected results:
- Some info/warning message regarding the SCCs.

Additional info:
- Proposed patch: https://github.com/openshift/origin/pull/19610 
- bz#1575450
Comment 2 Simo Sorce 2018-05-15 12:34:15 UTC 
I think this should be a preinstall check done with ansible playbooks.
Moving to installer component.
Comment 3 Scott Dodson 2018-05-15 12:45:27 UTC 
Simo,

Can you get the referenced PR reviewed and then we can run the check during our upgrade playbooks? We can run the tool but we're not equipped to ensure the tool properly checks for problematic SCCs.

https://github.com/openshift/origin/pull/19610
Comment 4 Scott Dodson 2018-07-13 17:33:00 UTC 
A check has been added to upgrade playbooks to ensure that bootstrapped SCCs are not modified during upgrade unexpectedly. I believe that fulfills the need here but I'm not sure so I'm moving this to Auth component for further analysis.

See https://github.com/openshift/openshift-ansible/pull/8390 and subsequent changes to the code which cleaned up messaging.
Comment 5 Simo Sorce 2018-07-16 13:06:25 UTC 
Kenjiro, are the changes made to the installer sufficient to consider closing the bug ?
Comment 6 Kenjiro Nakayama 2018-07-16 13:12:55 UTC 
Yes, both ansible-openshift and diagnostics command support clsuterscc checks now. Let's close this ticket.