Bug 1734663

Summary: [4.1] Backport of upstream #78882: Fix incorrect procMount defaulting
Product: OpenShift Container Platform Reporter: Stefan Schimanski <sttts>
Component: kube-apiserverAssignee: Stefan Schimanski <sttts>
Status: CLOSED ERRATA QA Contact: Xingxing Xia <xxia>
Severity: high Docs Contact:
Priority: urgent    
Version: 4.1.zCC: aos-bugs, mfojtik
Target Milestone: ---   
Target Release: 4.1.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-28 19:54:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stefan Schimanski 2019-07-31 07:28:19 UTC 
What this PR does / why we need it:

Fixes incorrect forcing of the alpha procMount field to a non-nil value.

Without DaemonSet can/will suddenly all redeploy at the same time, leading to outages on upgrade: https://github.com/kubernetes/kubernetes/issues/78633

Upstream PR: https://github.com/kubernetes/kubernetes/pull/78882
Comment 1 Stefan Schimanski 2019-07-31 07:29:27 UTC 
4.2 PR, to be tested by QA: https://github.com/openshift/origin/pull/23512
Comment 3 Xingxing Xia 2019-08-16 06:05:47 UTC 
Verified by upgrading an env from payload 4.1.0-0.nightly-2019-08-13-020742 which does incorrect procMount defaulting, to payload 2 4.1.0-0.nightly-2019-08-13-091918 which includes the fix. Didn't see daemonset containers unexpectedly restart. More details:
Before upgrade, besides the cluster-component daemonsets, create a daemonset which would include non-nil podSpec.Containers.SecurityContext.ProcMount after creation:
oc create -f - -n xxia-proj << EOF
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: myds
spec:
  selector:
      matchLabels:
        name: myds
  template:
    metadata:
      labels:
        name: myds
    spec:
      containers:
      - image: openshift/hello-openshift
        name: hello-openshift
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
EOF

After creation, the daemonset looks like:
...
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          procMount: Default
...

Then do above upgrade.
Comment 6 errata-xmlrpc 2019-08-28 19:54:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2547