Bug 1829328
| Summary: | [sig-devex][Feature:ImageEcosystem][Slow] openshift images should be SCL enabled is forbidden: unable to validate against any security context constraint: [] | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Maciej Szulik <maszulik> |
| Component: | kube-controller-manager | Assignee: | Maciej Szulik <maszulik> |
| Status: | CLOSED ERRATA | QA Contact: | zhou ying <yinzhou> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.3.0 | CC: | adam.kaplan, aos-bugs, dcbw, deads, gmontero, mfojtik, wzheng, yinzhou |
| Target Milestone: | --- | ||
| Target Release: | 4.3.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1829327 | Environment: | |
| Last Closed: | 2020-07-14 16:11:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1829327 | ||
| Bug Blocks: | |||
|
Comment 1
Maciej Szulik
2020-05-20 08:24:02 UTC
This waiting to be merged in the queue. Confirmed with payload: 4.3.0-0.nightly-2020-07-04-055556, when create new project will see the audit logs from kube-apiserver:
sh-4.4# grep namespace-security-allocation-controller audit*|grep patch |grep zhouy
audit.log:{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"8a541723-c513-4f99-a052-f08388db7509","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/zhouy","verb":"patch","user":{"username":"system:serviceaccount:openshift-infra:namespace-security-allocation-controller","uid":"1afe739c-c212-478c-8ac7-cf7f8d8148f9","groups":["system:serviceaccounts","system:serviceaccounts:openshift-infra","system:authenticated"]},"sourceIPs":["::1"],"userAgent":"cluster-policy-controller/v0.0.0 (linux/amd64) kubernetes/$Format/system:serviceaccount:openshift-infra:namespace-security-allocation-controller","objectRef":{"resource":"namespaces","namespace":"zhouy","name":"zhouy","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2020-07-06T08:45:32.542309Z","stageTimestamp":"2020-07-06T08:45:32.549261Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:openshift:controller:namespace-security-allocation-controller\" of ClusterRole \"system:openshift:controller:namespace-security-allocation-controller\" to ServiceAccount \"namespace-security-allocation-controller/openshift-infra\""}}
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2872 |