Description of problem: scc-admission plugin sometime reports "no SecurityContextConstraints found in xxx" when there are sccs to be found. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Luis, was this bug reproduced race existed? Any suggestion how to verify this bug? Thanks.
(In reply to Xingxing Xia from comment #3) > Luis, was this bug reproduced when race existed? ...
Luis, could you help give some suggestion ^ ? Thank you!
Since we have comprehensive unit tests that exercise all these scenarios. Will verify this directly. Verified with OCP build 4.4.0-0.nightly-2020-02-16-221315, Related test code can cover the fix: $ cd ~ $ git clone https://github.com/openshift/apiserver-library-go.git# or git pull if already cloned $ cd apiserver-library-go $ git branch -a $ git checkout remotes/origin/release-4.4 $ cd pkg/securitycontextconstraints/sccadmission $ ls admission.go admission_test.go intializers.go scc_exec.go scc_exec_test.go $ go test -v -run Test* === RUN TestFailClosedOnInvalidPod --- PASS: TestFailClosedOnInvalidPod (0.00s) === RUN TestAdmitCaps --- PASS: TestAdmitCaps (0.00s) === RUN TestAdmitSuccess --- PASS: TestAdmitSuccess (0.00s) === RUN TestAdmitFailure --- PASS: TestAdmitFailure (0.00s) === RUN TestCreateProvidersFromConstraints --- PASS: TestCreateProvidersFromConstraints (0.00s) === RUN TestMatchingSecurityContextConstraints W0217 16:47:07.127380 239315 byrestrictions.go:93] SELinuxContext type "" has no point value, this may cause issues in sorting SCCs by restriction W0217 16:47:07.127479 239315 byrestrictions.go:101] RunAsUser type "" has no point value, this may cause issues in sorting SCCs by restriction W0217 16:47:07.127489 239315 byrestrictions.go:93] SELinuxContext type "" has no point value, this may cause issues in sorting SCCs by restriction W0217 16:47:07.127497 239315 byrestrictions.go:101] RunAsUser type "" has no point value, this may cause issues in sorting SCCs by restriction --- PASS: TestMatchingSecurityContextConstraints (0.00s) === RUN TestAdmitWithPrioritizedSCC --- PASS: TestAdmitWithPrioritizedSCC (0.00s) === RUN TestAdmitSeccomp --- PASS: TestAdmitSeccomp (0.00s) === RUN TestAdmitPreferNonmutatingWhenPossible --- PASS: TestAdmitPreferNonmutatingWhenPossible (0.00s) === RUN TestExecAdmit --- PASS: TestExecAdmit (0.00s) scc_exec_test.go:115: attach check: testing.GetActionImpl{ActionImpl:testing.ActionImpl{Namespace:"namespace", Verb:"get", Resource:schema.GroupVersionResource{Group:"", Version:"v1", Resource:"pods"}, Subresource:""}, Name:"pod-name"} scc_exec_test.go:115: exec check: testing.GetActionImpl{ActionImpl:testing.ActionImpl{Namespace:"namespace", Verb:"get", Resource:schema.GroupVersionResource{Group:"", Version:"v1", Resource:"pods"}, Subresource:""}, Name:"pod-name"} PASS ok github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccadmission 0.027s We can see all related test cases have been passed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581