We have moved SecurityContextConstraints type from openshift-apiserver into a CRD provided by cluster-config-operator. This way the CRD gets installed long before openshift-apiservrer is deployed. But we have not moved the standard SCC manifest(s) in openshift-apiserver. We need to move these as well. A good place would be kube-apiservrer-operator. How reproducible: Always Because the default SCC are not created early enough we see errors like the following: I0114 20:56:27.810408 1 event.go:281] Event(v1.ObjectReference{Kind:"ReplicaSet", Namespace:"openshift-cluster-node-tuning-operator", Name:"cluster-node-tuning-operator-589fff797f", UID:"7bff9c12-2737-4ec3-993e-1c8e0526106b", APIVersion:"apps/v1", ResourceVersion:"938", FieldPath:""}): type: 'Warning' reason: 'FailedCreate' Error creating: pods "cluster-node-tuning-operator-589fff797f-" is forbidden: no SecurityContextConstraints found in cluster
The default SCC created by openshift-apiserver [1] are also present in the manifests folder of the cluster-kube-apiserver-operator operator [2]. [1] https://github.com/openshift/openshift-apiserver/blob/master/pkg/bootstrappolicy/securitycontextconstraints.go#L52 [2] https://github.com/openshift/cluster-kube-apiserver-operator/tree/master/manifests (edited) After investigating we found out that CVO uses a protobuf client for `SecurityContextConstraints`. https://github.com/openshift/cluster-version-operator/blob/master/lib/resourcebuilder/security.go#L21. protobuf client does not work with CRD type. We have opened a pull request on cvo to resolve this https://github.com/openshift/cluster-version-operator/pull/308
reopening as we need to track it for back porting.
Moving to verified after bug 1794309#c7 and bug 1794309#c9 checked
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581