Bug 1860099

Summary: [3.11] - Registry pod is always assigned restricted scc
Product: OpenShift Container Platform Reporter: Vladislav Walek <vwalek>
Component: Image RegistryAssignee: Oleg Bulatov <obulatov>
Status: CLOSED NOTABUG QA Contact: Wenjing Zheng <wzheng>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.11.0CC: aos-bugs, mfojtik, obulatov, sttts
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-31 15:27:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vladislav Walek 2020-07-23 17:46:18 UTC 
Description of problem:

The SCC assigned to SA registry is ignored and the "restricted" scc is assigned instead.

When using the portworx storage provider - it timeouts on the mounting the volume because of the fsGroup configured on the pod.

Assigning the different SCC (expect anyuid) to the SA - it ends in the restricted scc again.

Version-Release number of selected component (if applicable):
OpenShift Container Platform 3.11

How reproducible:
- the registry assigned to nonroot scc, the pod has scc restricted and fsGroup configured

Steps to Reproduce:
1. - assign the SA registry to different scc and rollout new deployment
2. - add new SA with non-restricted scc to the deployment config - still ends with restricted
3.

Actual results:


Expected results:


Additional info:
using the anyuid - it works
Comment 3 Stefan Schimanski 2020-08-03 12:53:25 UTC 
> The SCC assigned to SA registry is ignored and the "restricted" scc is assigned instead.

What does this mean?
Comment 5 Oleg Bulatov 2020-08-03 14:21:37 UTC 
@Vladislav, can you provide a reproducer? The restricted SCC should be enough. The apiserver selects a minimal required SCC, i.e. if the pod doesn't need anything special, the restricted SCC will be assigned. The registry usually works fine with the restricted SCC. 

Can you elaborate on what the problem is?
Comment 6 Vladislav Walek 2020-08-11 17:41:38 UTC 
Hey Oleg,

the issue I see is that even when changing the SCC on registry SA, or even adding totally different SA with no relation to restricted SCC - the SCC configured on the pod will always be restricted. 

The only way is to configure the anyuid. 

>>  The restricted SCC should be enough.

Unfortunately, the Portworx storage provider requires that the SA is not configured with the fsGroup, causing that the storage is reconfigured during the mounting which is not possible in Portworx and it causes that the mounting will timeout.

The problem is - even if the SA is configured with different SCC - the restricted is always applied - why?
Check the reproducer from above, I was able to reproduce that.

Thx
Comment 7 Oleg Bulatov 2020-08-19 18:02:43 UTC 
Can you share a cluster with Portworx volumes? Or at least step-by-step guide. My attempt to install Portworx on 4.4.18 failed with the message "Could not find any available storage disks on this node" for all nodes, so I cannot reproduce it.