Bug 1679629
| Summary: | OCP 4.0 the openshift.io/scc annotation is missing on pods. | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Ryan Howe <rhowe> |
| Component: | Networking | Assignee: | Dan Mace <dmace> |
| Networking sub component: | router | QA Contact: | Hongan Li <hongli> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | medium | ||
| Priority: | medium | CC: | aos-bugs, jokerman, mkhan, mmccomas, rhowe |
| Version: | 4.1.0 | Keywords: | Reopened |
| Target Milestone: | --- | ||
| Target Release: | 4.1.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-04 10:44:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
That namespace [1] has the label which bypasses the openshift admission plugins [2] (some namespaces always bypass this check [3]). This should not occur in the "normal" namespaces - please confirm. [1] https://github.com/openshift/cluster-ingress-operator/blob/master/assets/router/namespace.yaml#L8-L9 [2] https://github.com/openshift/origin/blob/977767d11ce5b22283e5e7da4089f803c5d287d6/pkg/cmd/openshift-kube-apiserver/kubeadmission/register.go#L43-L54 [3] https://github.com/openshift/origin/blob/dce7617033df46dfc512708ebf0a0bd9869209d3/pkg/admission/namespaceconditions/decorator.go#L10-L13 Please re-open if this issue happens on "normal" namespaces (those without the "openshift.io/run-level" annotation). I have requested that the NE team remove the run-level label from their namespace(s) as an operator at the default run level runs after the openshift api server and thus does not need to skip admission checks (including SCC). verified with 4.0.0-0.nightly-2019-03-18-200009 and the label 'openshift.io/run-level: "0"' has been removed from openshift-ingress and openshift-ingress-operator namesapce. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758 |
Description of problem: In OCP 4.0 the openshift.io/scc annotation is missing on pods. In 3.x this annotation would get set on the pods, gave users the ability to confirm what SCC the pods is running under. Version-Release number of selected component (if applicable): oc v4.0.0-0.171.0 kubernetes v1.12.4+a532756e37 features: Basic-Auth GSSAPI Kerberos SPNEGO Server XXXXx kubernetes v1.12.4+f39ab668d3 How reproducible: 100% Steps to Reproduce: 1. Deploy cluster 2. `oc get pod NAME -o yaml Actual results: # oc get pods -n openshift-ingress -o template --template='{{ range .items}}{{.metadata.annotations }}{{end}}' map[k8s.v1.cni.cncf.io/networks-status:[{ "name": "openshift-sdn", "ips": [ "10.128.2.40" ], "default": true, "dns": {} Expected results: Set openshift.io/scc annotation on all pods that get deployed on the cluster: metadata: annotations: openshift.io/scc: restricted ... ... ...