Bug 1318944 - Should remove EMPTYDIR related scc context in online
Summary: Should remove EMPTYDIR related scc context in online
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Online
Classification: Red Hat
Component: Pod
Version: 3.x
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Devan Goodwin
QA Contact: DeShuai Ma
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-18 08:42 UTC by Chao Yang
Modified: 2016-05-23 15:10 UTC (History)
4 users (show)

Fixed In Version: 3.2.0.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-23 15:10:15 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Chao Yang 2016-03-18 08:42:33 UTC 
Description of problem:
According to https://github.com/openshift/openshift-docs/pull/1760 , should remove emptydir related scc in scc/restricted

Version-Release number of selected component (if applicable):
dev-preview-int

How reproducible:
Always

Steps to Reproduce:
1.root@dev-preview-int-master-d0106 ~]# oc get scc restricted
NAME         PRIV      CAPS      HOSTDIR   EMPTYDIR   SELINUX     RUNASUSER        FSGROUP    SUPGROUP   PRIORITY
restricted   false     []        false     true       MustRunAs   MustRunAsRange   RunAsAny   RunAsAny   <none>
[root@dev-preview-int-master-d0106 ~]# oc get scc restricted -o json
{
    "kind": "SecurityContextConstraints",
    "apiVersion": "v1",
    "metadata": {
        "name": "restricted",
        "selfLink": "/api/v1/securitycontextconstraints/restricted",
        "uid": "a8e0b195-e4b7-11e5-a28d-0aa949b0be09",
        "resourceVersion": "78",
        "creationTimestamp": "2016-03-07T22:55:16Z",
        "annotations": {
            "kubernetes.io/description": "restricted denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace.  This is the most restrictive SCC."
        }
    },
    "priority": null,
    "allowPrivilegedContainer": false,
    "defaultAddCapabilities": null,
    "requiredDropCapabilities": [
        "KILL",
        "MKNOD",
        "SYS_CHROOT",
        "SETUID",
        "SETGID"
    ],
    "allowedCapabilities": null,
    "allowHostDirVolumePlugin": false,
    "allowEmptyDirVolumePlugin": true,
    "allowHostNetwork": false,
    "allowHostPorts": false,
    "allowHostPID": false,
    "allowHostIPC": false,
    "seLinuxContext": {
        "type": "MustRunAs"
    },
    "runAsUser": {
        "type": "MustRunAsRange"
    },
    "supplementalGroups": {
        "type": "RunAsAny"
    },
    "fsGroup": {
        "type": "RunAsAny"
    },
    "groups": [
        "system:authenticated"
    ]
}


Actual results:
"allowEmptyDirVolumePlugin": true exist in scc/restricted

Expected results:
"allowEmptyDirVolumePlugin": true should be removed from scc/restricted

Additional info:
Comment 1 Devan Goodwin 2016-03-18 13:23:56 UTC 
This feature is already removed in origin as of 355776169d2184eadbcbb443342f4668e83e13c2 which was merged on March 5, and did not make it to any released version of origin or OSE.

Could anyone confirm the version of code deployed in the dev-preview-int environment?

Next environment refresh it should disappear from CLI output, it might remain as an extraneous field in etcd but nothing will be enforcing or using it.
Comment 2 Abhishek Gupta 2016-03-24 18:45:00 UTC 
The INT rebuild is currently ongoing and, once ready, should have this addressed.
Comment 3 Abhishek Gupta 2016-03-29 00:25:29 UTC 
The INT rebuild is complete and this should now be fixed in INT.
Comment 4 Chao Yang 2016-03-29 02:06:54 UTC 
This is fixed on INT env
oc v3.2.0.6
kubernetes v1.2.0-36-g4a3f9c5
Docker version 1.9.1, build 78ee77d/1.9.1
kernel 3.10.0-327.10.1.el7.x86_64

[root@dev-preview-int-master-21eb2 ~]#  oc get scc restricted
NAME         PRIV      CAPS      HOSTDIR   SELINUX     RUNASUSER        FSGROUP     SUPGROUP   PRIORITY
restricted   false     []        false     MustRunAs   MustRunAsRange   MustRunAs   RunAsAny   <none>
Note You need to log in before you can comment on or make changes to this bug.