Bug 1793587

Summary: sccadmission plugin incorrectly reports "no SecurityContextConstraints found in xxx"
Product: OpenShift Container Platform Reporter: Luis Sanchez <sanchezl>
Component: kube-apiserverAssignee: Luis Sanchez <sanchezl>
Status: CLOSED ERRATA QA Contact: Ke Wang <kewang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.3.0CC: aos-bugs, mfojtik, scuppett, xxia
Target Milestone: ---   
Target Release: 4.3.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1792107 Environment:
Last Closed: 2020-02-25 06:17:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1792107    
Bug Blocks:    

Comment 2 Ke Wang 2020-02-18 09:54:23 UTC 
Since we have comprehensive unit tests that exercise all these scenarios. Will verify this directly.
Verified with OCP build 4.3.0-0.nightly-2020-02-17-110952,

Related test code can cover the fix:
$ cd  ~
$ git clone https://github.com/openshift/apiserver-library-go.git# or git pull if already cloned
$ cd apiserver-library-go
$ git branch -a
$ git checkout -b remotes/origin/release-4.3
$ cd pkg/securitycontextconstraints/sccadmission
$ ls
admission.go  admission_test.go  intializers.go  scc_exec.go  scc_exec_test.go

$ go test -v -run Test*
=== RUN   TestFailClosedOnInvalidPod
--- PASS: TestFailClosedOnInvalidPod (0.00s)
=== RUN   TestAdmitCaps
--- PASS: TestAdmitCaps (0.00s)
=== RUN   TestAdmitSuccess
--- PASS: TestAdmitSuccess (0.00s)
=== RUN   TestAdmitFailure
--- PASS: TestAdmitFailure (0.00s)
=== RUN   TestCreateProvidersFromConstraints
--- PASS: TestCreateProvidersFromConstraints (0.00s)
=== RUN   TestMatchingSecurityContextConstraints
--- PASS: TestMatchingSecurityContextConstraints (0.00s)
=== RUN   TestAdmitWithPrioritizedSCC
--- PASS: TestAdmitWithPrioritizedSCC (0.00s)
=== RUN   TestAdmitSeccomp
--- PASS: TestAdmitSeccomp (0.00s)
=== RUN   TestAdmitPreferNonmutatingWhenPossible
--- PASS: TestAdmitPreferNonmutatingWhenPossible (0.00s)
=== RUN   TestExecAdmit
--- PASS: TestExecAdmit (0.00s)
    scc_exec_test.go:115: attach check: testing.GetActionImpl{ActionImpl:testing.ActionImpl{Namespace:"namespace", Verb:"get", Resource:schema.GroupVersionResource{Group:"", Version:"v1", Resource:"pods"}, Subresource:""}, Name:"pod-name"}
    scc_exec_test.go:115: exec check: testing.GetActionImpl{ActionImpl:testing.ActionImpl{Namespace:"namespace", Verb:"get", Resource:schema.GroupVersionResource{Group:"", Version:"v1", Resource:"pods"}, Subresource:""}, Name:"pod-name"}
PASS
ok  	github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccadmission	0.025s

We can see all related test cases have been passed.
Comment 4 errata-xmlrpc 2020-02-25 06:17:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0528