Bug 1829327

Summary: [sig-devex][Feature:ImageEcosystem][Slow] openshift images should be SCL enabled is forbidden: unable to validate against any security context constraint: []
Product: OpenShift Container Platform Reporter: Maciej Szulik <maszulik>
Component: kube-controller-managerAssignee: Maciej Szulik <maszulik>
Status: CLOSED ERRATA QA Contact: zhou ying <yinzhou>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.4CC: adam.kaplan, aos-bugs, dcbw, deads, gmontero, mfojtik, wzheng, yinzhou
Target Milestone: ---   
Target Release: 4.4.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1820687
: 1829328 (view as bug list) Environment:
Last Closed: 2020-07-06 20:47:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1820687    
Bug Blocks: 1829328    

Comment 1 Maciej Szulik 2020-05-20 08:24:14 UTC 
PRs in the queue.
Comment 4 zhou ying 2020-06-15 06:16:50 UTC 
Confirmed with payload: 4.4.0-0.nightly-2020-06-14-142924, when update project resource info, check the audit log, will see patch verb operation logs:

{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"3b0f1d39-6033-42fa-ac1c-54222d7c062b","stage":"ResponseComplete","requestURI":"/apis/project.openshift.io/v1/projects/zhouyt","verb":"patch","user":{"username":"system:admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["10.0.52.222"],"userAgent":"oc/4.6.0 (linux/amd64) kubernetes/f30826e","objectRef":{"resource":"projects","namespace":"zhouyt","name":"zhouyt","apiGroup":"project.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2020-06-15T06:14:06.908085Z","stageTimestamp":"2020-06-15T06:14:06.933318Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
Comment 5 Maciej Szulik 2020-06-15 14:50:37 UTC 
Ying Zhou you're looking for a patch event against a namespace, not a project.
Comment 8 Maciej Szulik 2020-06-18 17:22:03 UTC 
oving this back to dev to merge test update.
Comment 12 zhou ying 2020-06-28 06:28:16 UTC 
Maciej Szulik :

With payload :4.4.0-0.nightly-2020-06-27-171816, when I edit the project , I got the event like this : 
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"e0c20010-e75d-4599-abf3-bb2d40131f89","stage":"ResponseComplete","requestURI":"/apis/project.openshift.io/v1/projects/zhouyt2","verb":"patch","user":{"username":"testuser-2","groups":["system:authenticated:oauth","system:authenticated"],"extra":{"scopes.authorization.openshift.io":["user:full"]}},"sourceIPs":["10.0.14.93"],"userAgent":"oc/4.4.0 (linux/amd64) kubernetes/d89e458","objectRef":{"resource":"projects","namespace":"zhouyt2","name":"zhouyt2","apiGroup":"project.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2020-06-28T06:18:14.151078Z","stageTimestamp":"2020-06-28T06:18:14.162907Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by RoleBinding \"admin/zhouyt2\" of ClusterRole \"admin\" to User \"testuser-2\""}}

The requestURI is /apis/project.openshift.io/v1/projects/zhouyt2, and the events is same as : https://bugzilla.redhat.com/show_bug.cgi?id=1829327#c4, could I verify this issue ?
Comment 13 Maciej Szulik 2020-06-29 14:37:02 UTC 
Hmm.... that's not quite the event I'm expecting. I was hoping you'll see this particular changed reflected:
https://github.com/openshift/cluster-policy-controller/pull/25/files#diff-096504074ffe8ffa94008df02b53af83R207

Which is the cluster-policy-controller invoking a patch against a namespace. I'm not saying this is not 
happening, but the above event is not showing that. It would be nice to look for that patch event.
What is important, it's not an update on a project, but creation of one. It's usually after a project is 
created the cluster-policy-controller will react on a newly created namespace and add openshift 
specific annotations related to security. That's the event you're looking for.
Comment 19 errata-xmlrpc 2020-07-06 20:47:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2786