Bug 2280637

Summary: The rook-ceph-csi scc does not have "Required Drop Capabilities" set
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Prasad Desala <tdesala>
Component: ocs-operatorAssignee: Shravani Vangur <svangur>
Status: CLOSED ERRATA QA Contact: Prasad Desala <tdesala>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.16CC: mrajanna, nberry, nigoyal, nladha, odf-bz-bot
Target Milestone: ---   
Target Release: ODF 4.17.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.17.0-84 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-10-30 14:27:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Prasad Desala 2024-05-15 13:24:11 UTC 
Description of problem (please be detailed as possible and provide log
snippests):
==================================================================================
This BZ is opened based on the discussion in comment https://bugzilla.redhat.com/show_bug.cgi?id=2179803#c14. 

As part of the fix for BZ 2179803, the RequiredDropCapabilities of rook-ceph scc is set to ALL, but rook-ceph-csi scc still does not have "Required Drop Capabilities" set. This needs to be addressed and the changes must be made in the ocs-operator code which creates the csi scc.   

prasad:~$ oc describe scc rook-ceph | grep " Required Drop Capabilities"
  Required Drop Capabilities:			ALL
prasad:~$ oc describe scc rook-ceph-csi | grep " Required Drop Capabilities"
  Required Drop Capabilities:
			<none>
prasad:~$ oc get csv 
NAME                                        DISPLAY                            VERSION            REPLACES   PHASE
mcg-operator.v4.16.0-94.stable              NooBaa Operator                    4.16.0-94.stable              Succeeded
ocs-client-operator.v4.16.0-94.stable       OpenShift Data Foundation Client   4.16.0-94.stable              Succeeded
ocs-operator.v4.16.0-94.stable              OpenShift Container Storage        4.16.0-94.stable              Succeeded
odf-csi-addons-operator.v4.16.0-94.stable   CSI Addons                         4.16.0-94.stable              Succeeded
odf-operator.v4.16.0-94.stable              OpenShift Data Foundation          4.16.0-94.stable              Succeeded
odf-prometheus-operator.v4.16.0-94.stable   Prometheus Operator                4.16.0-94.stable              Succeeded
recipe.v4.16.0-94.stable                    Recipe                             4.16.0-94.stable              Succeeded
rook-ceph-operator.v4.16.0-94.stable        Rook-Ceph                          4.16.0-94.stable              Succeeded
 

Version of all relevant components (if applicable):
odf 4.16

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?


Is there any workaround available to the best of your knowledge?


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
1

Can this issue reproducible?
Yes

Can this issue reproduce from the UI?


If this is a regression, please provide more details to justify this:


Steps to Reproduce:
1. Deploy an ODF cluster and check for "RequiredDropCapabilities" in rook-ceph-csi scc

Actual results:
===============
The rook-ceph-csi scc does not have "Required Drop Capabilities" <none>

Expected results:
=================
The security context for rook-ceph-csi should have the "RequiredDropCapabilities" set to ALL.
Comment 9 errata-xmlrpc 2024-10-30 14:27:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.17.0 Security, Enhancement, & Bug Fix Update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2024:8676