Bug 1960680
Summary: | [SCC] openshift-apiserver degraded when a SCC with high priority is created | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | oarribas <oarribas> | |
Component: | openshift-apiserver | Assignee: | Sergiusz Urbaniak <surbania> | |
Status: | CLOSED ERRATA | QA Contact: | Xingxing Xia <xxia> | |
Severity: | high | Docs Contact: | ||
Priority: | medium | |||
Version: | 4.7 | CC: | aos-bugs, gagore, gvanderp, jaiganesh, mfojtik, mjudeiki, oarribas, surbania | |
Target Milestone: | --- | Flags: | mfojtik:
needinfo?
|
|
Target Release: | 4.9.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | EmergencyRequest | |||
Fixed In Version: | Doc Type: | No Doc Update | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1996051 (view as bug list) | Environment: | ||
Last Closed: | 2021-10-18 17:31:06 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1955502 | |||
Bug Blocks: | 1996044 |
Description
oarribas
2021-05-14 14:56:44 UTC
** A NOTE ABOUT USING URGENT ** This BZ has been set to urgent severity and priority. When a BZ is marked urgent priority Engineers are asked to stop whatever they are doing, putting everything else on hold. Please be prepared to have reasonable justification ready to discuss, and ensure your own and engineering management are aware and agree this BZ is urgent. Keep in mind, urgent bugs are very expensive and have maximal management visibility. NOTE: This bug was automatically assigned to an engineering manager with the severity reset to *unspecified* until the emergency is vetted and confirmed. Please do not manually override the severity. ** INFORMATION REQUIRED ** Please answer these questions before escalation to engineering: 1. Has a link to must-gather output been provided in this BZ? We cannot work without. If must-gather fails to run, attach all relevant logs and provide the error message of must-gather. 2. Give the output of "oc get clusteroperators -o yaml". 3. In case of degraded/unavailable operators, have all their logs and the logs of the operands been analyzed [yes/no] 4. List the top 5 relevant errors from the logs of the operators and operands in (3). 5. Order the list of degraded/unavailable operators according to which is likely the cause of the failure of the other, root-cause at the top. 6. Explain why (5) is likely the right order and list the information used for that assessment. 7. Explain why Engineering is necessary to make progress. Tested in 4.9.0-0.nightly-2021-08-22-070405: Create above k10-k10 SCC. Then delete one pod under openshift-apiserver project. Check the new created pod, it can be Running. Check YAML of new pod under openshift-apiserver project, it uses system scc: $ oc get po apiserver-576b474fb5-fx49h -n openshift-apiserver -o yaml | grep scc openshift.io/scc: node-exporter Check YAML of all pods under openshift-apiserver project, they set 'runAsUser: 0' for containers 'openshift-apiserver' and 'fix-audit-permissions' *** Bug 1968511 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759 |