Bug 2101843

Summary: pv fails to recycle with PodSecurity error
Product: OpenShift Container Platform Reporter: Jason Montleon <jmontleo>
Component: StorageAssignee: Fabio Bertinatto <fbertina>
Storage sub component: Kubernetes QA Contact: Wei Duan <wduan>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: jsafrane
Version: 4.11   
Target Milestone: ---   
Target Release: 4.12.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-17 19:50:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jason Montleon 2022-06-28 14:20:45 UTC 
Description of problem:
A persistent volume is failing to reccle stateing that it violates PodSecurity "baseline:latest".

Version-Release number of selected component (if applicable):
Server Version: 4.11.0-fc.3

How reproducible:
Only happened once so far.

Steps to Reproduce:
1. Create a pv with the recycle reclaim policy, and pvc/deployment to use it.
2. Delete the pvc/deployment
3. Receive an error when the pv should be recycled.

Actual results:
Received an error in the WebUI that the PV was in a failed state and on further investigation saw:

status:
  message: 'Recycle failed: unexpected error creating recycler pod:  pods "recycler-for-pv-87"
    is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volume
    "vol")'
  phase: Failed


Expected results:
PV is recycled correctly.

Additional info:
Full PV definition:
apiVersion: v1
kind: PersistentVolume
metadata:
  annotations:
    pv.kubernetes.io/bound-by-controller: "yes"
  creationTimestamp: "2022-06-26T00:28:50Z"
  finalizers:
  - kubernetes.io/pv-protection
  labels:
    type: local
  name: pv-87
  resourceVersion: "121724"
  uid: 84126842-f67b-4e0d-a301-3e43fa94e4c5
spec:
  accessModes:
  - ReadWriteOnce
  - ReadWriteMany
  capacity:
    storage: 10Gi
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    name: mariadb.12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345
    namespace: mediawiki
    resourceVersion: "118679"
    uid: b1f03d4e-a3ec-42be-ad9a-53a0fd3eca6d
  hostPath:
    path: /srv/openshift/pv-87
    type: ""
  persistentVolumeReclaimPolicy: Recycle
  storageClassName: manual
  volumeMode: Filesystem
status:
  message: 'Recycle failed: unexpected error creating recycler pod:  pods "recycler-for-pv-87"
    is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volume
    "vol")'
  phase: Failed
Comment 1 Jan Safranek 2022-07-01 14:12:13 UTC 
Jason, please note that recycler has been deprecated for a really long time and it should not be used for any production volumes.
Comment 2 Jason Montleon 2022-07-02 18:37:36 UTC 
Thanks, I didn't realize that, but see it mentioned in the docs now. 
https://docs.openshift.com/container-platform/4.10/storage/understanding-persistent-storage.html

I'm fine if this will be closed WONTFIX if that's the case and thanks for the heads up!
Comment 4 Wei Duan 2022-09-05 07:00:38 UTC 
Verified pass on 4.12.0-0.nightly-2022-09-02-194931

1. Checking the pod-security label in ns openshift-infra 
$ oc get ns openshift-infra -o json | jq .metadata.labels
{
  "kubernetes.io/metadata.name": "openshift-infra",
  "pod-security.kubernetes.io/audit": "privileged",
  "pod-security.kubernetes.io/enforce": "privileged",
  "pod-security.kubernetes.io/warn": "privileged"
}

2. Creating pod+pvc+pv(with nfs+Recycle), and the deleting pod+pvc, checking the recycler pod works well.
recycler-for-pv-nfs     0/1     Pending             0          0s
recycler-for-pv-nfs     0/1     Pending             0          0s
recycler-for-pv-nfs     0/1     Pending             0          0s
recycler-for-pv-nfs     0/1     ContainerCreating   0          0s
recycler-for-pv-nfs     0/1     ContainerCreating   0          2s
recycler-for-pv-nfs     0/1     Completed           0          7s
recycler-for-pv-nfs     0/1     Completed           0          9s
recycler-for-pv-nfs     0/1     Terminating         0          9s
recycler-for-pv-nfs     0/1     Terminating         0          9s

Update status to "VERIFIED"
Comment 7 errata-xmlrpc 2023-01-17 19:50:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399