Bug 1914451

Summary: cluster-storage-operator pod running as root
Product: OpenShift Container Platform Reporter: John McMeeking <jmcmeek>
Component: StorageAssignee: Hemant Kumar <hekumar>
Storage sub component: Operators QA Contact: Qin Ping <piqin>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: aos-bugs, jsafrane
Version: 4.6   
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:51:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John McMeeking 2021-01-08 21:41:47 UTC 
Description of problem:

We see these pods running as root in our 4.6 cluster. We didn't see a reason why the operator needs to do that.

- openshift-cluster-storage-operator/cluster-storage-operator

To run in a financial services environment we need to explain why these are running as root or (preferably) change them if root is not required.

Can you provide an explanation or change these as appropriate?


Version-Release number of selected component (if applicable):

$ oc version
Client Version: 4.5.0-202005291417-9933eb9
Server Version: 4.6.9
Kubernetes Version: v1.19.0+7070803

How reproducible:

Always

Steps to Reproduce:
1. oc exec -n NS POD -- ps -e -o pid,uid,cmd
2.
3.

Actual results:

+ oc exec -n openshift-cluster-storage-operator cluster-storage-operator-54c8c9567c-cl2bf -- ps -e -o pid,uid,cmd
   PID   UID CMD
     1     0 cluster-storage-operator start


Expected results:

UID is not 0


Master Log:

Node Log (of failed PODs):

PV Dump:

PVC Dump:

StorageClass Dump (if StorageClass used by PV/PVC):

Additional info:
Comment 1 Jan Safranek 2021-01-15 13:06:05 UTC 
@jmcmeek.com, there's lot of other pods/containers that run as root in OCP, basically everything that runs as cluster-admin. Is cluster-storage-operator special in any way?
Comment 2 Jan Safranek 2021-01-15 17:08:13 UTC 
Nevermind, found the other BZs. From some reason, csi-snapshot-controller-operator was missing.

    PID   UID CMD
      1     0 /usr/bin/csi-snapshot-controller-operator start -v 5 --config=/var/run/configmaps/config/operator-config.yaml
Comment 4 Qin Ping 2021-01-18 05:37:09 UTC 
Verified with: 4.7.0-0.nightly-2021-01-17-211555

$ oc -n openshift-cluster-storage-operator  exec cluster-storage-operator-6fff87cc8c-rjjdj -- ps -e -o pid,uid,cmd
    PID   UID CMD
      1 10400 cluster-storage-operator start

$ oc -n openshift-cluster-storage-operator  exec csi-snapshot-controller-operator-65db554cff-4jg46 -- ps -e -o pid,uid,cmd
    PID   UID CMD
      1 10400 /usr/bin/csi-snapshot-controller-operator start -v 5 --config=/var/run/configmaps/config/operator-config.yaml
Comment 7 errata-xmlrpc 2021-02-24 15:51:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633