Bug 1808602

Summary: kube-apiserver operator should go upgradeable=false if SCC has changed
Product: OpenShift Container Platform Reporter: Abu Kashem <akashem>
Component: kube-apiserverAssignee: Abu Kashem <akashem>
Status: CLOSED ERRATA QA Contact: Xingxing Xia <xxia>
Severity: high Docs Contact:
Priority: high    
Version: 4.3.0CC: aos-bugs, deads, kewang, mfojtik, xxia
Target Milestone: ---   
Target Release: 4.3.z   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1806568 Environment:
Last Closed: 2020-03-24 14:34:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1794309    
Bug Blocks:    

Description Abu Kashem 2020-02-28 22:38:25 UTC
+++ This bug was initially created as a clone of Bug #1806568 +++

In 4.4, the SCC is maintained by the CVO.  This means that the ratchet logic of "reconcile-scc" has been lost.  Overall this is good (we documented that nothing should change the bootstrap SCC), but practically, anyone who has changed needs to handle the situation before they upgrade and have the resources stomped.

We can make a change to 4.3.z which prevents upgrades (upgradeable=false) on fairly complicated predicates and provide links and help for dealing with the situation *before* it goes bad.

Comment 3 Xingxing Xia 2020-03-16 10:33:49 UTC
Above PR is from cluster-kube-apiserver-operator instead of openshift-apiserver. The bug's title has typo.
Verified in 4.3.0-0.nightly-2020-03-15-112942:
$ oc edit scc # remove "- projected" under anyuid and restricted
Then found Upgradeable becomes False:
$ oc get co kube-apiserver -o json | jq -r '.status.conditions[] | select(.type == "Upgradeable")'
  "lastTransitionTime": "2020-03-16T10:31:07Z",
  "message": "DefaultSecurityContextConstraintsUpgradeable: Default SecurityContextConstraints object(s) have mutated [anyuid restricted]",
  "reason": "DefaultSecurityContextConstraints_Mutated",
  "status": "False",
  "type": "Upgradeable"

$ oc edit scc # add the removed stuff back
Then Upgradeable becomes True.

Comment 5 errata-xmlrpc 2020-03-24 14:34:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Comment 6 Abu Kashem 2020-04-08 19:03:36 UTC
*** Bug 1806568 has been marked as a duplicate of this bug. ***