Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1792107

Summary: sccadmission plugin incorrectly reports "no SecurityContextConstraints found in xxx"
Product: OpenShift Container Platform Reporter: Luis Sanchez <sanchezl>
Component: kube-apiserverAssignee: Luis Sanchez <sanchezl>
Status: CLOSED ERRATA QA Contact: Ke Wang <kewang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.4CC: aos-bugs, mfojtik, xxia
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1793587 (view as bug list) Environment:
Last Closed: 2020-05-04 11:24:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1793587    

Description Luis Sanchez 2020-01-17 03:48:01 UTC 
Description of problem:

scc-admission plugin sometime reports "no SecurityContextConstraints found in xxx" when there are sccs to be found.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 3 Xingxing Xia 2020-01-22 07:50:57 UTC 
Luis, was this bug reproduced race existed? Any suggestion how to verify this bug? Thanks.
Comment 4 Xingxing Xia 2020-01-22 07:53:21 UTC 
(In reply to Xingxing Xia from comment #3)
> Luis, was this bug reproduced when race existed? ...
Comment 5 Xingxing Xia 2020-02-07 11:04:38 UTC 
Luis, could you help give some suggestion ^ ? Thank you!
Comment 6 Ke Wang 2020-02-17 08:53:04 UTC 
Since we have comprehensive unit tests that exercise all these scenarios. Will verify this directly.
Verified with OCP build 4.4.0-0.nightly-2020-02-16-221315,

Related test code can cover the fix:
$ cd  ~
$ git clone https://github.com/openshift/apiserver-library-go.git# or git pull if already cloned
$ cd apiserver-library-go
$ git branch -a
$ git checkout remotes/origin/release-4.4
$ cd pkg/securitycontextconstraints/sccadmission
$ ls
admission.go  admission_test.go  intializers.go  scc_exec.go  scc_exec_test.go

$ go test -v -run Test*
=== RUN   TestFailClosedOnInvalidPod
--- PASS: TestFailClosedOnInvalidPod (0.00s)
=== RUN   TestAdmitCaps
--- PASS: TestAdmitCaps (0.00s)
=== RUN   TestAdmitSuccess
--- PASS: TestAdmitSuccess (0.00s)
=== RUN   TestAdmitFailure
--- PASS: TestAdmitFailure (0.00s)
=== RUN   TestCreateProvidersFromConstraints
--- PASS: TestCreateProvidersFromConstraints (0.00s)
=== RUN   TestMatchingSecurityContextConstraints
W0217 16:47:07.127380  239315 byrestrictions.go:93] SELinuxContext type "" has no point value, this may cause issues in sorting SCCs by restriction
W0217 16:47:07.127479  239315 byrestrictions.go:101] RunAsUser type "" has no point value, this may cause issues in sorting SCCs by restriction
W0217 16:47:07.127489  239315 byrestrictions.go:93] SELinuxContext type "" has no point value, this may cause issues in sorting SCCs by restriction
W0217 16:47:07.127497  239315 byrestrictions.go:101] RunAsUser type "" has no point value, this may cause issues in sorting SCCs by restriction
--- PASS: TestMatchingSecurityContextConstraints (0.00s)
=== RUN   TestAdmitWithPrioritizedSCC
--- PASS: TestAdmitWithPrioritizedSCC (0.00s)
=== RUN   TestAdmitSeccomp
--- PASS: TestAdmitSeccomp (0.00s)
=== RUN   TestAdmitPreferNonmutatingWhenPossible
--- PASS: TestAdmitPreferNonmutatingWhenPossible (0.00s)
=== RUN   TestExecAdmit
--- PASS: TestExecAdmit (0.00s)
    scc_exec_test.go:115: attach check: testing.GetActionImpl{ActionImpl:testing.ActionImpl{Namespace:"namespace", Verb:"get", Resource:schema.GroupVersionResource{Group:"", Version:"v1", Resource:"pods"}, Subresource:""}, Name:"pod-name"}
    scc_exec_test.go:115: exec check: testing.GetActionImpl{ActionImpl:testing.ActionImpl{Namespace:"namespace", Verb:"get", Resource:schema.GroupVersionResource{Group:"", Version:"v1", Resource:"pods"}, Subresource:""}, Name:"pod-name"}
PASS
ok  	github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccadmission	0.027s


We can see all related test cases have been passed.
Comment 8 errata-xmlrpc 2020-05-04 11:24:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581