Bug 1806908

Summary: openshift-ovirt-infra: Some core components are in openshift.io/run-level 1 and are bypassing SCC, but should not be
Product: OpenShift Container Platform Reporter: Stefan Schimanski <sttts>
Component: InstallerAssignee: Roy Golan <rgolan>
Installer sub component: OpenShift on RHV QA Contact: Jan Zmeskal <jzmeskal>
Status: CLOSED NOTABUG Docs Contact:
Severity: medium    
Priority: high CC: aos-bugs, ccoleman, eparis, jialiu, jokerman, mfojtik, nhale, nstielau, sfowler, wsun, xiyuan, xtian, xxia
Version: 4.4   
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1805488 Environment:
Last Closed: 2020-02-26 18:37:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1805488, 1966621    

Comment 1 Abhinav Dahiya 2020-02-25 21:41:24 UTC 
This namespace hosts the dns and virtual ip components and there is high likely hood these need to run before openshift-apiserver runs. will leave it for RHV team to decide.
Comment 2 Sandro Bonazzola 2020-02-26 13:00:54 UTC 
Reducing severity and priority after discussing with the development team about this.
Comment 3 Roy Golan 2020-02-26 14:08:18 UTC 
Stefan Aside from not getting root permissions, are there any more implications for run-level != 1 ?

If we can reduce the run-level for that namespace we should do it.

The static pods we need are coredns, mdns-publisher and keepalived. coredns publishes port 53. Is there a run-level 
that would allow me to do that? any documentation on those run-levels?
Comment 4 Scott Dodson 2020-02-26 18:37:11 UTC 
The components in this namespace like DNS and API load balancing are required by all other components in the cluster and as such must be run at run level 1.
Comment 5 Red Hat Bugzilla 2023-09-15 00:29:52 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days