Bug 1996044
| Summary: | [SCC] openshift-apiserver degraded when a SCC with high priority is created | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | OpenShift BugZilla Robot <openshift-bugzilla-robot> |
| Component: | openshift-apiserver | Assignee: | Sergiusz Urbaniak <surbania> |
| Status: | CLOSED ERRATA | QA Contact: | Xingxing Xia <xxia> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.7 | CC: | aos-bugs, gvanderp, mfojtik, mjudeiki, oarribas, surbania |
| Target Milestone: | --- | ||
| Target Release: | 4.8.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-09-07 04:14:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1960680 | ||
| Bug Blocks: | 1996045 | ||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.8.10 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:3299 |
In unfixed 4.8 env, can reproduce. In env launched with the open PR using cluster-bot, pre-merge-verified the issue would be gone: $ oc get clusterversion version 4.8.0-0.ci.test-2021-08-23-042232-ci-ln-nfy14cb-latest True False 69m Cluster version is 4.8.0-0.ci.test-2021-08-23-042232-ci-ln-nfy14cb-latest Create above k10-k10 SCC. Then delete one pod under openshift-apiserver project. Check the new created pod, it can be Running. Check YAML of new pod under openshift-apiserver project, it uses system scc: $ oc get po apiserver-c478f7dd8-5slf9 -n openshift-apiserver -o yaml | grep scc openshift.io/scc: node-exporter Check YAML of all pods under openshift-apiserver project, they set 'runAsUser: 0' for containers 'openshift-apiserver' and 'fix-audit-permissions'