Bug 1829327
Summary: | [sig-devex][Feature:ImageEcosystem][Slow] openshift images should be SCL enabled is forbidden: unable to validate against any security context constraint: [] | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Maciej Szulik <maszulik> | |
Component: | kube-controller-manager | Assignee: | Maciej Szulik <maszulik> | |
Status: | CLOSED ERRATA | QA Contact: | zhou ying <yinzhou> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 4.4 | CC: | adam.kaplan, aos-bugs, dcbw, deads, gmontero, mfojtik, wzheng, yinzhou | |
Target Milestone: | --- | |||
Target Release: | 4.4.z | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | No Doc Update | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | 1820687 | |||
: | 1829328 (view as bug list) | Environment: | ||
Last Closed: | 2020-07-06 20:47:16 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1820687 | |||
Bug Blocks: | 1829328 |
Comment 1
Maciej Szulik
2020-05-20 08:24:14 UTC
Confirmed with payload: 4.4.0-0.nightly-2020-06-14-142924, when update project resource info, check the audit log, will see patch verb operation logs: {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"3b0f1d39-6033-42fa-ac1c-54222d7c062b","stage":"ResponseComplete","requestURI":"/apis/project.openshift.io/v1/projects/zhouyt","verb":"patch","user":{"username":"system:admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["10.0.52.222"],"userAgent":"oc/4.6.0 (linux/amd64) kubernetes/f30826e","objectRef":{"resource":"projects","namespace":"zhouyt","name":"zhouyt","apiGroup":"project.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2020-06-15T06:14:06.908085Z","stageTimestamp":"2020-06-15T06:14:06.933318Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}} Ying Zhou you're looking for a patch event against a namespace, not a project. oving this back to dev to merge test update. Maciej Szulik : With payload :4.4.0-0.nightly-2020-06-27-171816, when I edit the project , I got the event like this : {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"e0c20010-e75d-4599-abf3-bb2d40131f89","stage":"ResponseComplete","requestURI":"/apis/project.openshift.io/v1/projects/zhouyt2","verb":"patch","user":{"username":"testuser-2","groups":["system:authenticated:oauth","system:authenticated"],"extra":{"scopes.authorization.openshift.io":["user:full"]}},"sourceIPs":["10.0.14.93"],"userAgent":"oc/4.4.0 (linux/amd64) kubernetes/d89e458","objectRef":{"resource":"projects","namespace":"zhouyt2","name":"zhouyt2","apiGroup":"project.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2020-06-28T06:18:14.151078Z","stageTimestamp":"2020-06-28T06:18:14.162907Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by RoleBinding \"admin/zhouyt2\" of ClusterRole \"admin\" to User \"testuser-2\""}} The requestURI is /apis/project.openshift.io/v1/projects/zhouyt2, and the events is same as : https://bugzilla.redhat.com/show_bug.cgi?id=1829327#c4, could I verify this issue ? Hmm.... that's not quite the event I'm expecting. I was hoping you'll see this particular changed reflected: https://github.com/openshift/cluster-policy-controller/pull/25/files#diff-096504074ffe8ffa94008df02b53af83R207 Which is the cluster-policy-controller invoking a patch against a namespace. I'm not saying this is not happening, but the above event is not showing that. It would be nice to look for that patch event. What is important, it's not an update on a project, but creation of one. It's usually after a project is created the cluster-policy-controller will react on a newly created namespace and add openshift specific annotations related to security. That's the event you're looking for. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2786 |