Bug 1679629 - OCP 4.0 the openshift.io/scc annotation is missing on pods.
Summary: OCP 4.0 the openshift.io/scc annotation is missing on pods.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.1.0
Assignee: Dan Mace
QA Contact: Hongan Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-21 15:43 UTC by Ryan Howe
Modified: 2022-08-04 22:20 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-04 10:44:19 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-ingress-operator pull 160 0 'None' closed Bug 1679629: manifests: remove run-level namespace label 2020-11-10 18:28:08 UTC
Red Hat Product Errata RHBA-2019:0758 0 None None None 2019-06-04 10:44:27 UTC

Description Ryan Howe 2019-02-21 15:43:43 UTC 
Description of problem:

 In OCP 4.0 the openshift.io/scc annotation is missing on pods. In 3.x this annotation would get set on the pods, gave users the ability to confirm what SCC the pods is running under. 

Version-Release number of selected component (if applicable):
oc v4.0.0-0.171.0
kubernetes v1.12.4+a532756e37
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server XXXXx
kubernetes v1.12.4+f39ab668d3


How reproducible:
100% 

Steps to Reproduce:
1. Deploy cluster
2. `oc get pod NAME -o yaml

Actual results:
# oc get pods -n openshift-ingress -o template --template='{{ range .items}}{{.metadata.annotations }}{{end}}'
map[k8s.v1.cni.cncf.io/networks-status:[{
    "name": "openshift-sdn",
    "ips": [
        "10.128.2.40"
    ],
    "default": true,
    "dns": {}



Expected results:
 
  Set openshift.io/scc annotation on all pods that get deployed on the cluster:

metadata:
  annotations:
    openshift.io/scc: restricted  
    ...
    ...
    ...
Comment 2 Mo 2019-02-27 20:13:34 UTC 
That namespace [1] has the label which bypasses the openshift admission plugins [2] (some namespaces always bypass this check [3]).

This should not occur in the "normal" namespaces - please confirm.

[1] https://github.com/openshift/cluster-ingress-operator/blob/master/assets/router/namespace.yaml#L8-L9
[2] https://github.com/openshift/origin/blob/977767d11ce5b22283e5e7da4089f803c5d287d6/pkg/cmd/openshift-kube-apiserver/kubeadmission/register.go#L43-L54
[3] https://github.com/openshift/origin/blob/dce7617033df46dfc512708ebf0a0bd9869209d3/pkg/admission/namespaceconditions/decorator.go#L10-L13
Comment 3 Erica von Buelow 2019-02-28 16:06:26 UTC 
Please re-open if this issue happens on "normal" namespaces (those without the "openshift.io/run-level" annotation).
Comment 4 Mo 2019-02-28 18:01:24 UTC 
I have requested that the NE team remove the run-level label from their namespace(s) as an operator at the default run level runs after the openshift api server and thus does not need to skip admission checks (including SCC).
Comment 7 Hongan Li 2019-03-19 10:37:26 UTC 
verified with 4.0.0-0.nightly-2019-03-18-200009 and the label 'openshift.io/run-level: "0"' has been removed from openshift-ingress and openshift-ingress-operator namesapce.
Comment 9 errata-xmlrpc 2019-06-04 10:44:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758
Note You need to log in before you can comment on or make changes to this bug.