Bug 1860992
| Summary: | CNV upgrade - users are not removed from privileged SecurityContextConstraints | ||
|---|---|---|---|
| Product: | Container Native Virtualization (CNV) | Reporter: | Ruth Netser <rnetser> |
| Component: | Virtualization | Assignee: | Igor Bezukh <ibezukh> |
| Status: | CLOSED ERRATA | QA Contact: | Kedar Bidarkar <kbidarka> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 2.4.0 | CC: | cnv-qe-bugs, dvossel, fdeutsch, ibezukh, kbidarka, sgott, stirabos |
| Target Milestone: | --- | ||
| Target Release: | 2.6.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | virt-operator-container-v2.6.0-72 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-10 11:18:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ruth Netser
2020-07-27 15:49:41 UTC
I tend to think that the right place to remove them is virt-operator. Stu? yes, if anything is responsible for removing our SAs from a SCC, it's virt-operator. Aren't kubevirt-handler and kubevirt-controller still in use? Which component creates build-controller? virt-operator certainly never created anything by that name. the new way of doing this is virt-operator creates SCCs specific for KubeVirt. we still need SCCS, just not to modify the default ones. the 2.3 entries on default SCC should have been removed. also, build-controller isn't related to us. it's supposed to be on the default scc. Updating component to Virtualization. PR submitted, waiting for code review The PR got merged, is there anything else that is needed? Just the QE to verify it on CNV 2.6 cluster Verified 2.5.3 -> 2.6.0 upgrade.
Added the following to SecurityContextConstraints privileged, under users:
- system:serviceaccount:openshift-cnv:kubevirt-handler
- system:serviceaccount:openshift-cnv:kubevirt-apiserver
- system:serviceaccount:openshift-cnv:kubevirt-controller
Before the upgrade:
$ oc get SecurityContextConstraints privileged -oyaml |grep -A6 users
f:users: {}
manager: kubectl-edit
operation: Update
time: "2021-02-02T08:47:59Z"
name: privileged
resourceVersion: "894696"
selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/privileged
--
users:
- system:admin
- system:serviceaccount:openshift-infra:build-controller
- system:serviceaccount:openshift-cnv:kubevirt-handler
- system:serviceaccount:openshift-cnv:kubevirt-apiserver
- system:serviceaccount:openshift-cnv:kubevirt-controller
volumes:
After the upgrade:
$ oc get SecurityContextConstraints privileged -oyaml |grep -A6 users
f:users: {}
manager: virt-operator
operation: Update
time: "2021-02-03T13:45:23Z"
name: privileged
resourceVersion: "2200531"
selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/privileged
--
users:
- system:admin
- system:serviceaccount:openshift-infra:build-controller
volumes:
- '*'
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 2.6.0 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0799 |