Bug 2102834
| Summary: | [cloud-credential-operator]container has runAsNonRoot and image will run as root | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | OpenShift BugZilla Robot <openshift-bugzilla-robot> |
| Component: | Cloud Credential Operator | Assignee: | Akhil Rane <arane> |
| Status: | CLOSED ERRATA | QA Contact: | Shivanthi <lamarach> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.5 | CC: | bleanhar, hongkliu, jrouth, jshu, kramraja, mbargenq, mihuang, mworthin, sdodson, wking |
| Target Milestone: | --- | Keywords: | ServiceDeliveryBlocker, Upgrades |
| Target Release: | 4.11.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-08-10 11:19:39 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2101880 | ||
| Bug Blocks: | 2102633 | ||
|
Comment 1
Scott Dodson
2022-07-01 17:34:42 UTC
Verified w/ version 4.11.0-0.nightly-2022-07-05-230222 following the suggested validation way:
1. Install ocp cluster with version 4.10.0-0.nightly-2022-06-08-150219
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.10.0-0.nightly-2022-06-08-150219 True False 35m Cluster version is 4.10.0-0.nightly-2022-06-08-150219
2. Apply labels
$ oc label namespace openshift-cloud-credential-operator openshift.io/run-level=1
namespace/openshift-cloud-credential-operator labeled
$ oc label namespace openshift-apiserver-operator openshift.io/run-level=1
namespace/openshift-apiserver-operator labeled
$ oc label namespace openshift-machine-api openshift.io/run-level=1
namespace/openshift-machine-api labeled
$ oc label namespace openshift-service-ca-operator openshift.io/run-level=1
namespace/openshift-service-ca-operator labeled
$ oc label namespace openshift-machine-config-operator openshift.io/run-level=1
error: 'openshift.io/run-level' already has a value (), and --overwrite is false
$ oc label namespace openshift-machine-config-operator openshift.io/run-level=1 --overwrite
namespace/openshift-machine-config-operator labeled
3. Upgrade to 4.11
$ oc adm upgrade --to-image registry.ci.openshift.org/ocp/release:4.11.0-0.nightly-2022-07-05-230222 --allow-explicit-upgrade --force
4. Upgrade is successful and run-level unset for the namespaces
$ oc get clusterversion -w
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.10.0-0.nightly-2022-06-08-150219 True True 54m Working towards 4.11.0-0.nightly-2022-07-05-230222: 704 of 802 done (87% complete)
version 4.11.0-0.nightly-2022-07-05-230222 True False 0s Cluster version is 4.11.0-0.nightly-2022-07-05-230222
$ oc get namespace openshift-cloud-credential-operator -o yaml |grep run-level
openshift.io/run-level: ""
$ oc get namespace openshift-apiserver-operator -o yaml |grep run-level
openshift.io/run-level: ""
$ oc get namespace openshift-machine-api -o yaml |grep run-level
openshift.io/run-level: ""
$ oc get namespace openshift-service-ca-operator -o yaml |grep run-level
openshift.io/run-level: ""
$ oc get namespace openshift-machine-config-operator -o yaml |grep run-level
openshift.io/run-level: ""
no doc needed per Akhil on Slack Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069 |