Description of problem: - When some of default SCCs values are updated, these values are reconciled during the update. It is stated on the docs, but difficult to notice. And in fact, one of customers experienced critical issue during the update. - We would like to get a warning message and know if there are is a potentially dangerous sccs in advance. Version-Release number of selected component (if applicable): - OCP 3.6 (customer experienced the critical issue) - OCP 3.9 (latest version but still no preventive measures) How reproducible: 100% Steps to Reproduce: 1. Set nfs to volumes in restricted scc # oc edit scc restricted ``` volumes: ... - nfs ``` // nfs was added to restricted # oc get scc restricted NAME ... VOLUMES restricted ... [configMap downwardAPI emptyDir nfs persistentVolumeClaim projected secret] 2. Run oc adm diagnostics # oc adm diagnostics Actual results: - No warning regarding the SCCs problem Expected results: - Some info/warning message regarding the SCCs. Additional info: - Proposed patch: https://github.com/openshift/origin/pull/19610 - bz#1575450
I think this should be a preinstall check done with ansible playbooks. Moving to installer component.
Simo, Can you get the referenced PR reviewed and then we can run the check during our upgrade playbooks? We can run the tool but we're not equipped to ensure the tool properly checks for problematic SCCs. https://github.com/openshift/origin/pull/19610
A check has been added to upgrade playbooks to ensure that bootstrapped SCCs are not modified during upgrade unexpectedly. I believe that fulfills the need here but I'm not sure so I'm moving this to Auth component for further analysis. See https://github.com/openshift/openshift-ansible/pull/8390 and subsequent changes to the code which cleaned up messaging.
Kenjiro, are the changes made to the installer sufficient to consider closing the bug ?
Yes, both ansible-openshift and diagnostics command support clsuterscc checks now. Let's close this ticket.