Bug 1574503 - replicationcontroller doesn't store initContainers securityContext
Summary: replicationcontroller doesn't store initContainers securityContext
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Master
Version: 3.7.1
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
: ---
Assignee: Michal Fojtik
QA Contact: Wang Haoran
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-03 12:45 UTC by Juan Luis de Sousa-Valadas
Modified: 2018-05-03 14:06 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-03 14:06:58 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Juan Luis de Sousa-Valadas 2018-05-03 12:45:06 UTC
Description of problem:
Replication controllers don't store .spec.template.spec.initContainers.securityContext

Version-Release number of selected component (if applicable):
3.7 (Haven't tried it on 3.9)

How reproducible:
Always

Steps to Reproduce:
1. oc create serviceaccount privilegeduser
2. oc adm policy add-scc-to-user privileged -z privilegeduser
3. oc create -f- <<EOF
apiVersion: v1
kind: ReplicationController
metadata:
  labels:
    name: egress-router
  name: egress-router
spec:
  replicas: 1
  selector:
    name: egress-router
  template:
    metadata:
      annotations:
      creationTimestamp: null
      labels:
        name: egress-router
      name: egress-router
    spec:
      containers:
      - image: registry.access.redhat.com/openshift3/ose-pod
        imagePullPolicy: Always
        name: egress-router-wait
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      initContainers:
      - env:
        - name: EGRESS_SOURCE
          value: 172.22.110.124
        - name: EGRESS_GATEWAY
          value: 172.22.110.200
        - name: EGRESS_DESTINATION
          value: 172.22.104.54
        - name: EGRESS_ROUTER_MODE
          value: init
        image: registry.access.redhat.com/openshift3/ose-egress-router
        securityContext:
          privileged: true
        imagePullPolicy: Always
        name: egress-router-init
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      restartPolicy: Always
      securityContext: {}
      serviceAccount: privilegeduser
      serviceAccountName: privilegeduser
      terminationGracePeriodSeconds: 30
status: {}
EOF

4. oc get rc egress-router -o yaml doesn't have .spec.template.spec.initContainers.securityContext

Actual results:
rc doesn't have .spec.template.spec.initContainers.securityContext


Expected results:
rc has doesn't have .spec.template.spec.initContainers.securityContext.privileged: true

Comment 1 Jordan Liggitt 2018-05-03 14:06:58 UTC
I'm unable to reproduce

$ oc version
oc v3.7.44-1+5b9c6df-18
kubernetes v1.7.6+a08f5eeb62
features: Basic-Auth

Server https://10.13.129.45:8443
openshift v3.7.44-1+5b9c6df-18
kubernetes v1.7.6+a08f5eeb62


$ oc create -f- <<EOF
apiVersion: v1
kind: ReplicationController
metadata:
  labels:
    name: egress-router
  name: egress-router
spec:
  replicas: 1
  selector:
    name: egress-router
  template:
    metadata:
      annotations:
      creationTimestamp: null
      labels:
        name: egress-router
      name: egress-router
    spec:
      containers:
      - image: registry.access.redhat.com/openshift3/ose-pod
        imagePullPolicy: Always
        name: egress-router-wait
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      initContainers:
      - env:
        - name: EGRESS_SOURCE
          value: 172.22.110.124
        - name: EGRESS_GATEWAY
          value: 172.22.110.200
        - name: EGRESS_DESTINATION
          value: 172.22.104.54
        - name: EGRESS_ROUTER_MODE
          value: init
        image: registry.access.redhat.com/openshift3/ose-egress-router
        securityContext:
          privileged: true
        imagePullPolicy: Always
        name: egress-router-init
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      restartPolicy: Always
      securityContext: {}
      serviceAccount: privilegeduser
      serviceAccountName: privilegeduser
      terminationGracePeriodSeconds: 30
status: {}
EOF



$ oc get rc egress-router -o yaml
apiVersion: v1
kind: ReplicationController
metadata:
  creationTimestamp: 2018-05-03T14:04:39Z
  generation: 1
  labels:
    name: egress-router
  name: egress-router
  namespace: default
  resourceVersion: "812"
  selfLink: /api/v1/namespaces/default/replicationcontrollers/egress-router
  uid: ebb149f6-4eda-11e8-8075-6a000155e300
spec:
  replicas: 1
  selector:
    name: egress-router
  template:
    metadata:
      ...
      name: egress-router
    spec:
      containers:
      - image: registry.access.redhat.com/openshift3/ose-pod
        imagePullPolicy: Always
        name: egress-router-wait
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      initContainers:
      - env:
        - name: EGRESS_SOURCE
          value: 172.22.110.124
        - name: EGRESS_GATEWAY
          value: 172.22.110.200
        - name: EGRESS_DESTINATION
          value: 172.22.104.54
        - name: EGRESS_ROUTER_MODE
          value: init
        image: registry.access.redhat.com/openshift3/ose-egress-router
        imagePullPolicy: Always
        name: egress-router-init
        resources: {}
        securityContext:
          privileged: true
...


the securityContext.privileged field is under a particular initContainer, like this:

.spec.template.spec.initContainers[0].securityContext.privileged


Note You need to log in before you can comment on or make changes to this bug.