Bug 1793209
| Summary: | Move default SCC creation from openshift-apiserver to kube-apiserver operator | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Abu Kashem <akashem> | |
| Component: | openshift-apiserver | Assignee: | Abu Kashem <akashem> | |
| Status: | CLOSED ERRATA | QA Contact: | Xingxing Xia <xxia> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 4.4 | CC: | aos-bugs, mfojtik, rheinzma, scuppett, slaznick, sttts | |
| Target Milestone: | --- | Keywords: | Reopened | |
| Target Release: | 4.4.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Release Note | ||
| Doc Text: |
Default SecurityContextConstraints (SCCs) are now created and maintained through the kube-apiserver operator. Every change to those by the user is eventually overwritten.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1794309 1794454 (view as bug list) | Environment: | ||
| Last Closed: | 2020-05-04 11:25:34 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1794309, 1794454, 1794468 | |||
The default SCC created by openshift-apiserver [1] are also present in the manifests folder of the cluster-kube-apiserver-operator operator [2]. [1] https://github.com/openshift/openshift-apiserver/blob/master/pkg/bootstrappolicy/securitycontextconstraints.go#L52 [2] https://github.com/openshift/cluster-kube-apiserver-operator/tree/master/manifests (edited) After investigating we found out that CVO uses a protobuf client for `SecurityContextConstraints`. https://github.com/openshift/cluster-version-operator/blob/master/lib/resourcebuilder/security.go#L21. protobuf client does not work with CRD type. We have opened a pull request on cvo to resolve this https://github.com/openshift/cluster-version-operator/pull/308 reopening as we need to track it for back porting. Moving to verified after bug 1794309#c7 and bug 1794309#c9 checked Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581 |
We have moved SecurityContextConstraints type from openshift-apiserver into a CRD provided by cluster-config-operator. This way the CRD gets installed long before openshift-apiservrer is deployed. But we have not moved the standard SCC manifest(s) in openshift-apiserver. We need to move these as well. A good place would be kube-apiservrer-operator. How reproducible: Always Because the default SCC are not created early enough we see errors like the following: I0114 20:56:27.810408 1 event.go:281] Event(v1.ObjectReference{Kind:"ReplicaSet", Namespace:"openshift-cluster-node-tuning-operator", Name:"cluster-node-tuning-operator-589fff797f", UID:"7bff9c12-2737-4ec3-993e-1c8e0526106b", APIVersion:"apps/v1", ResourceVersion:"938", FieldPath:""}): type: 'Warning' reason: 'FailedCreate' Error creating: pods "cluster-node-tuning-operator-589fff797f-" is forbidden: no SecurityContextConstraints found in cluster