Bug 1806917

Summary: openshift-service-ca-operator: Some core components are in openshift.io/run-level 1 and are bypassing SCC, but should not be
Product: OpenShift Container Platform Reporter: Stefan Schimanski <sttts>
Component: apiserver-authAssignee: Standa Laznicka <slaznick>
Status: CLOSED ERRATA QA Contact: scheng
Severity: medium Docs Contact:
Priority: medium    
Version: 4.4CC: aos-bugs, ccoleman, eparis, jack.ottofaro, jialiu, jokerman, mfojtik, nhale, nstielau, sfowler, slaznick, wking, wsun, xiyuan, xtian, xxia
Target Milestone: ---Keywords: Reopened
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The namespace openshift-service-ca-operator was labelled with "openshift.io/run-level: 1". Consequence: The pods inside this namespace would run with extra privileges. Fix: Since the label is no longer necessary to avoid components' circular dependency, it was removed. Result: The service-ca-operator pods had their privileges scoped down in freshly-installed clusters. In the clusters that get upgraded to the version containing the fix, it should be safe to remove this label manually (and restart the affected pods).
 Story Points: ---
Clone Of: 1805488 Environment:
Last Closed: 2021-02-24 15:10:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1805488, 1966621    

Comment 2 Stefan Schimanski 2020-03-12 15:30:45 UTC 
Reopened and moved to 4.5.
Comment 3 Stefan Schimanski 2020-05-19 12:30:18 UTC 
No progress in 4.5 about this.
Comment 13 Standa Laznicka 2020-12-10 08:16:28 UTC 
the PR merged, yet the bot failed to post that fact, moving to modified manually
Comment 16 Standa Laznicka 2020-12-10 11:14:11 UTC 
The manifest we have got changed properly, yet CVO is not respecting the change when the annotation is supposed to be deleted during upgrade. Moving there.
Comment 18 W. Trevor King 2020-12-10 19:38:42 UTC 
Not obvious to me that this is a CVO bug.  I've opened [1] talking through the CVO behavior and floating some possible approaches, if folks want to kick those around.  Still need info from Standa, but now mostly for guidance about any non-CVO actors who could clear the label and about any timeline constraints for CVO-side changes if there are no available non-CVO actors.

[1]: https://issues.redhat.com/browse/OTA-330
Comment 19 W. Trevor King 2020-12-10 19:45:32 UTC 
I'm going to move this back to ON_QA and auth, and scope it down to "newly created clusters will no longer have openshift.io/run-level".  If folks feel like they want to turn OTA-330 into a CVO bug about labels not being removed on updates, that's ok with me, but that's orthogonal enough that I don't think we should recycle this bug to be about that.
Comment 24 errata-xmlrpc 2021-02-24 15:10:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633