1793209 – Move default SCC creation from openshift-apiserver to kube-apiserver operator

Bug 1793209 - Move default SCC creation from openshift-apiserver to kube-apiserver operator

Summary: Move default SCC creation from openshift-apiserver to kube-apiserver operator

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	openshift-apiserver
Sub Component:
Version:	4.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	4.4.0
Assignee:	Abu Kashem
QA Contact:	Xingxing Xia
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1794309 1794454 1794468
TreeView+	depends on / blocked

Reported:	2020-01-20 22:39 UTC by Abu Kashem
Modified:	2020-05-04 11:26 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Release Note
Doc Text:	Default SecurityContextConstraints (SCCs) are now created and maintained through the kube-apiserver operator. Every change to those by the user is eventually overwritten.
Clone Of:
Clones:	1794309 1794454 (view as bug list)
Environment:
Last Closed:	2020-05-04 11:25:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift cluster-version-operator pull 308	0	None	closed	Bug 1793209: Don't use protobuf client for SecurityContextConstraints	2020-10-26 14:43:49 UTC
Red Hat Product Errata	RHBA-2020:0581	0	None	None	None	2020-05-04 11:26:15 UTC

Description Abu Kashem 2020-01-20 22:39:35 UTC

We have moved SecurityContextConstraints type from openshift-apiserver into a CRD provided by cluster-config-operator. This way the CRD gets installed long before openshift-apiservrer is deployed.

But we have not moved the standard SCC manifest(s) in openshift-apiserver. We need to move these as well. A good place would be kube-apiservrer-operator.


How reproducible:
Always

Because the default SCC are not created early enough we see errors like the following:
I0114 20:56:27.810408       1 event.go:281] Event(v1.ObjectReference{Kind:"ReplicaSet", Namespace:"openshift-cluster-node-tuning-operator", Name:"cluster-node-tuning-operator-589fff797f", UID:"7bff9c12-2737-4ec3-993e-1c8e0526106b", APIVersion:"apps/v1", ResourceVersion:"938", FieldPath:""}): type: 'Warning' reason: 'FailedCreate' Error creating: pods "cluster-node-tuning-operator-589fff797f-" is forbidden: no SecurityContextConstraints found in cluster

Comment 1 Abu Kashem 2020-01-21 17:01:03 UTC

The default SCC created by openshift-apiserver [1] are also present in the manifests folder of the cluster-kube-apiserver-operator operator [2]. 
[1] https://github.com/openshift/openshift-apiserver/blob/master/pkg/bootstrappolicy/securitycontextconstraints.go#L52
[2] https://github.com/openshift/cluster-kube-apiserver-operator/tree/master/manifests (edited) 

After investigating we found out that CVO uses a protobuf client for `SecurityContextConstraints`.  
https://github.com/openshift/cluster-version-operator/blob/master/lib/resourcebuilder/security.go#L21. 

protobuf client does not work with CRD type. We have opened a pull request on cvo to resolve this
https://github.com/openshift/cluster-version-operator/pull/308

Comment 4 Abu Kashem 2020-01-23 16:23:10 UTC

reopening as we need to track it for back porting.

Comment 6 Xingxing Xia 2020-02-24 08:20:39 UTC

Moving to verified after bug 1794309#c7 and bug 1794309#c9 checked

Comment 8 errata-xmlrpc 2020-05-04 11:25:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581

Note You need to log in before you can comment on or make changes to this bug.