Bug 1575450 - Editing settings on the default SCCs should provide warning messages
Summary: Editing settings on the default SCCs should provide warning messages
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Simo Sorce
QA Contact: Chuan Yu
Depends On:
TreeView+ depends on / blocked
Reported: 2018-05-07 00:56 UTC by Kenjiro Nakayama
Modified: 2018-05-15 20:15 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-05-15 20:15:39 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1577830 0 urgent CLOSED [DOCS] SCC section should clearly state that updating dfault SCCs could cause critical problem 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1578217 0 unspecified CLOSED oc adm diagnostics should support clusterscc option 2021-02-22 00:41:40 UTC
Red Hat Knowledge Base (Solution) 3434931 0 None None None 2018-05-08 00:51:41 UTC

Internal Links: 1577830 1578217

Description Kenjiro Nakayama 2018-05-07 00:56:27 UTC
Description of problem:

- Editing settings on the default SCCs does not warn anything. So some customers changed settings and experienced critical issues during update.
- Although the docs warns it (in a very small part), we would like to request more better way to notice by the customer. (It is really difficult to find the docs.)

Version-Release number of selected component (if applicable):
- OCP 3.6 (confirmed with OCP 3.9 as well)

How reproducible: 100%

Steps to Reproduce:
1. Set nfs to volumes in restricted scc

  # oc edit scc restricted
  - nfs

  // nfs was added to restricted
  # oc get scc restricted
  NAME         ...   VOLUMES
  restricted   ...   [configMap downwardAPI emptyDir nfs persistentVolumeClaim projected secret]

NOTE: We know that changing some values in default SCC is bad practice. But there are no warning message and no users can predict that the "additive" settings will be dropped by the update.

2. Update cluster. (e.g 3.5 to 3.6)
 - During the update, "oc adm reconcile-sccs --confirm --additive-only=true" is executed by the playbook.

Actual results:
- The SCC is reconciled and all pods using nfs stopped running.

Expected results:
- We would like to request some warning messages when customers edit the default sccs. (It caused critical outage.)

  a. Making default sccs "read only".
  b. When users edit default sccs, OpenShift causes Warning message
  c. OpenShift diagnostics gives the notification

Additional info:

- https://github.com/openshift/origin/pull/19610 is the proposed patch for c), as it is the easiest way atm.

[1] https://docs.openshift.com/container-platform/3.6/admin_guide/manage_scc.html
In order to preserve customized SCCs during upgrades, do not edit settings on the default SCCs other than priority, users, groups, labels, and annotations.

Comment 2 Simo Sorce 2018-05-09 13:56:19 UTC
Isn't this just a matter of providing clearer documentation ?

Comment 3 Kenjiro Nakayama 2018-05-11 07:09:19 UTC
Updating our docs is absolutely necessary. But, on top of docs update, do you have any good idea for the preventive measures?

Comment 4 Kenjiro Nakayama 2018-05-15 04:10:52 UTC
I have opened tickets respectively:

  bz#1577830 ... [DOCS] SCC section should clearly state that updating dfault SCCs could cause critical problem
  bz#1578217 ... oc adm diagnostics should support clusterscc option

If we don't have any other idea to prevent this issue, please close this ticket - bz#1575450 and continue above two.

Comment 5 Simo Sorce 2018-05-15 20:15:39 UTC
I think the two new ticket you opened are indeed a better way to address this issue.
Thank you.

Note You need to log in before you can comment on or make changes to this bug.