Bug 1823934

Summary: Make default SCC manifests create-only by CVO
Product: OpenShift Container Platform Reporter: Abu Kashem <akashem>
Component: apiserver-authAssignee: Abu Kashem <akashem>
Status: CLOSED ERRATA QA Contact: scheng
Severity: high Docs Contact:
Priority: urgent    
Version: 4.4CC: aos-bugs, dmoessne, mfojtik, rbohne, scuppett, sttts, xxia
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1823933 Environment:
Last Closed: 2020-05-04 11:49:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1823933    
Bug Blocks:    

Description Abu Kashem 2020-04-14 19:52:34 UTC
+++ This bug was initially created as a clone of Bug #1823933 +++

Description of problem:
In OpenShift 4.4, the default SCCs are managed by CVO. This means any changes to it are stomped by CVO.

We have customers who change the default SCCs for their workload. when a cluster upgrades from 4.3 -> 4.4, user's changes to the default SCCs will be stomped by CVO and customer workload will face outages consequently.

Version-Release number of selected component (if applicable):
OpenShift 4.4

How reproducible:

Steps to Reproduce:
1. Install OpenShift 4.3

2. Change the default SCC 
    oc patch scc privileged --type json -p '[{"op": "add", "path": "/users/-", "value": "kubeadmin"}]'
    oc patch scc anyuid --type json -p '[{"op": "add", "path": "/users/-", "value": "kubeadmin"}]'

3. do a 4.3 -> 4.4 upgrade

Actual results:
Changes to the default SCCs will be lost as a result of the upgrade.

Expected results:
The upgrade should retain the changes made by the user

Additional info:
- https://bugzilla.redhat.com/show_bug.cgi?id=1823921

Comment 1 Abu Kashem 2020-04-16 16:47:48 UTC
Waiting for the PR in master https://github.com/openshift/cluster-kube-apiserver-operator/pull/831 to merge. Then it will be cherry-picked into 4.4.

Comment 7 errata-xmlrpc 2020-05-04 11:49:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.