Bug 2078040

Summary:	mon store.db is not accessible due to custom/third-party security context constraint (SCC)
Product:	[Red Hat Storage] Red Hat OpenShift Data Foundation	Reporter:	kelwhite
Component:	ceph	Assignee:	Prashant Dhange <pdhange>
ceph sub component:	CephFS	QA Contact:	Parikshith <pbyregow>
Status:	CLOSED NOTABUG	Docs Contact:
Severity:	medium
Priority:	medium	CC:	abhishku, anrobins, assingh, bhubbard, bkunal, bniver, hyelloji, jbiao, mbekhit, muagarwa, ocs-bugs, odf-bz-bot, pbyregow, pdhange, pnataraj, tdesala, vumrao
Version:	4.8	Flags:	pdhange: needinfo? (r.martinez) pdhange: needinfo? (jbiao)
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	All
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-03-27 06:27:15 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Comment 40 mbekhit 2022-09-22 13:24:14 UTC

The following pods do not have the default SCC's defined by OCS Operator:

 NAME: ocs-operator-68b59c8976-6qkdf

 SCC: anyuid

The SCC (Security Context Constraints) for OCS pods should not be changed to default.

If the SCC's are changed, this can result in existing Ceph volumes giving access denied when trying to read/write.

----------------------------

The following pods have scc set to 'anyuid':

NAME: ocs-operator-68b59c8976-6qkdf:

 SCC: anyuid

The scc (Security Context Constraints) for OCS pods should not be changed to 'anyuid'

after the initial deployment of OCS.

This can cause the problem as the PV may be already configured to a different User ID and

changing scc to anyuid will cause the pod to run with different UID.

This can result in existing Ceph volumes giving Access denied when trying to read/write.

While it will allow creating new volumes.

Currently, the scc change is not acceptable, as the OCS pods cannot handle it.