Bug 2112146

Summary: [CI watcher] Create pod sample fail because of a restricted pod security admission policy
Product: OpenShift Container Platform Reporter: Christoph Jerolimov <cjerolim>
Component: Management ConsoleAssignee: Samuel Padgett <spadgett>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: high Docs Contact:
Priority: high    
Version: 4.12CC: jhadvig, yapei
Target Milestone: ---   
Target Release: 4.12.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-17 19:53:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2113019    
Attachments:
Description Flags
Screenshot of Creat Pod YAML on 4.12 none

Description Christoph Jerolimov 2022-07-29 00:01:00 UTC 
Description of problem:
The sample pod template fails because a security context is missing and was defined by the security admission controller. It is now enabled by default in OpenShift.

https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

Error:
# CRD extensions.ConsoleExternalLogLink CRD.creates a new test pod to display the ConsoleExternalLogLink instance
Error: Timeout - Async callback was not invoked within timeout specified by jasmine.DEFAULT_TIMEOUT_INTERVAL.

Failing tests:
https://search.ci.openshift.org/?search=ConsoleExternalLogLink+CRD&maxAge=168h&context=1&type=junit&name=pull-ci-openshift-console-master-e2e-gcp-console&excludeName=&maxMatches=5&maxBytes=20971520&groupBy=job

Current matched: 214 runs, 72% failed, 33% of failures match = 24% impact

CI history:
https://prow.ci.openshift.org/?repo=openshift%2Fconsole&job=pull-ci-openshift-console-master-e2e-gcp-console

Success rate over time: 3h0s: 0%, 12h0s: 14%, 48h0s: 10%


Version-Release number of selected component (if applicable):
4.12
Comment 2 xiangyli 2022-08-03 07:51:35 UTC 
Created attachment 1903201 [details]
Screenshot of Creat Pod YAML on 4.12
Comment 3 xiangyli 2022-08-03 08:07:49 UTC 
The bug is verified on: 4.12.0-0.nightly-2022-08-01-151317, the version the screenshot is taken on. 

The PR is mergerd `5` days ago, and the search link restricts the search for log `ConsoleExternalLogLink CRD` to `2` days, finding 
```    
76 runs, 61% failed, 4% of failures match = 3% impact
```
and two failures. 


Among the two failures, there only one 
```
https://search.ci.openshift.org/?search=ConsoleExternalLogLink+CRD&maxAge=48h&context=1&type=junit&name=pull-ci-openshift-console-master-e2e-gcp-console&excludeName=&maxMatches=5&maxBytes=20971520&groupBy=job#:~:text=%231554236630359871488
```
concerned with error: 
```
# CRD extensions.ConsoleExternalLogLink CRD.displays YAML editor for creating a new ConsoleExternalLogLink instance and creates it
Error: Timeout - Async callback was not invoked within timeout specified by jasmine.DEFAULT_TIMEOUT_INTERVAL.
```
which is the same cause as the bug. 


By contrast, the job failures roughly 100 times in the last `7` days:
```
https://search.ci.openshift.org/?search=ConsoleExternalLogLink+CRD&maxAge=168h&context=1&type=junit&name=pull-ci-openshift-console-master-e2e-gcp-console&excludeName=&maxMatches=5&maxBytes=20971520&groupBy=job
```

Also, I manually tested as the screenshot shows. There is no warnings when creating pods any more.
Comment 4 xiangyli 2022-08-03 08:55:28 UTC 
Correction: 
After further investigation on logs
https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/batch/pull-ci-openshift-console-master-e2e-gcp-console/1554236630359871488#1:build-log.txt%3A418

From line 418 to line 429
```
   33) ConsoleExternalLogLink CRD
A Jasmine spec timed out. Resetting the WebDriver Control Flow.
A Jasmine spec timed out. Resetting the WebDriver Control Flow.
A Jasmine spec timed out. Resetting the WebDriver Control Flow.
      ✖ displays YAML editor for creating a new ConsoleExternalLogLink instance and creates it (3 failures)
      • displays detail view for ConsoleExternalLogLink instance
      • creates a new test pod to display the ConsoleExternalLogLink instance
      • displays the ConsoleExternalLogLink instance on the test pod
      • displays YAML editor for adding namespaceFilter to the ConsoleExternalLogLink instance
      • does not display the ConsoleExternalLogLink instance on the test pod
      • deletes the test pod
      • deletes the ConsoleExternalLogLink instance
```
The failure of `displays YAML editor for creating a new ConsoleExternalLogLink instance and creates it` precedes `displays the ConsoleExternalLogLink instance on the test pod`. Thus this is a different cause from the bug. 
This means the job has no failure in the past two days.
Comment 8 errata-xmlrpc 2023-01-17 19:53:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399