Bug 1625766

Summary: [apb] CLI tool produces failed provision when running as cluster-admin
Product: OpenShift Container Platform Reporter: Dylan Murray <dymurray>
Component: DocumentationAssignee: Latha S <lmurthy>
Status: CLOSED WONTFIX QA Contact: Xiaoli Tian <xtian>
Severity: unspecified Docs Contact: Latha S <lmurthy>
Priority: unspecified    
Version: 3.11.0CC: aos-bugs, gnelson, jmatthew, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-08 13:10:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dylan Murray 2018-09-05 19:41:46 UTC 
Document URL: 
https://docs.okd.io/latest/apb_devel/cli_tooling.html

Section Number and Name: 
https://docs.okd.io/latest/apb_devel/cli_tooling.html#apb-devel-cli-install-prereqs-access-permissions

Describe the issue: When running the CLI tool as cluster-admin, OpenShift will schedule the APB pod in the `anyuid` Security Context Constraint. This is well documented here: https://docs.okd.io/latest/architecture/additional_concepts/authorization.html#scc-prioritization

This causes issues with some APBs because they require running tasks which annotate the currently running pod. This is not allowed in the `anyuid` scc. We documented this in this comment: https://bugzilla.redhat.com/show_bug.cgi?id=1613664#c7

Suggestions for improvement: Provide warning that running the CLI tool as a cluster-admin will cause APB pods to be deployed under `anyuid` scc which causes some APBs to fail.

Additional information:
Comment 8 Red Hat Bugzilla 2023-09-15 01:27:39 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days