Bug 2108631

Summary: Upgrade between 4.10 versions fails if cluster has custom SCCs
Product: OpenShift Container Platform Reporter: Palash Khaire <pkhaire>
Component: Cluster Version OperatorAssignee: Over the Air Updates <aos-team-ota>
Status: CLOSED DUPLICATE QA Contact: liujia <jiajliu>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.10CC: aos-team-ota, tobias.brunner, yanyang
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-27 13:04:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Palash Khaire 2022-07-19 14:40:01 UTC 
Description of problem: Upgrade between 4.10 versions fails if the cluster has custom SCCs

Version-Release number of the following components:


How reproducible: Add an additional SCC with `privileged` set to true:
```
NAME                      PRIV   CAPS   SELINUX     RUNASUSER   FSGROUP     SUPGROUP   PRIORITY     READONLYROOTFS   VOLUMES
syn-cluster-backup-etcd   true   []     MustRunAs   RunAsAny    MustRunAs   RunAsAny   <no value>   true             ["configMap","downwardAPI","emptyDir","hostPath","projected","secret"]
```

Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results: The cluster-version-operator should explicitly set `readOnlyRootFilesystem: false` or the upgrade script must tolerate readOnlyRootFilesystem.

https://github.com/openshift/cluster-version-operator/blob/cb3a00c9f5e2ca00f24f9664b7e7cfbe0807748e/pkg/cvo/updatepayload.go#L183

~~~
 container.SecurityContext = &corev1.SecurityContext{
        Privileged:             pointer.BoolPtr(true),
        ReadOnlyRootFilesystem: pointer.BoolPtr(false),
    }
~~~

Additional info:

$ kubectl -n openshift-cluster-version logs version-4.10.12-wsspr-k88qw
mv: cannot remove '/manifests/0000_00_cluster-version-operator_00_namespace.yaml': Read-only file system
mv: inter-device move failed: '/manifests' to '/etc/cvo/updatepayloads/4ENFMGrGePMHpleO-OWNaQ/manifests/manifests'; unable to remove target: Directory not empty
Comment 2 Scott Dodson 2022-07-27 13:04:15 UTC 

*** This bug has been marked as a duplicate of bug 2110590 ***