Bug 1793209 - Move default SCC creation from openshift-apiserver to kube-apiserver operator
Summary: Move default SCC creation from openshift-apiserver to kube-apiserver operator
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: openshift-apiserver
Version: 4.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.4.0
Assignee: Abu Kashem
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks: 1794309 1794454 1794468
TreeView+ depends on / blocked
 
Reported: 2020-01-20 22:39 UTC by Abu Kashem
Modified: 2020-05-04 11:26 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Default SecurityContextConstraints (SCCs) are now created and maintained through the kube-apiserver operator. Every change to those by the user is eventually overwritten.
Clone Of:
: 1794309 1794454 (view as bug list)
Environment:
Last Closed: 2020-05-04 11:25:34 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift cluster-version-operator pull 308 None closed Bug 1793209: Don't use protobuf client for SecurityContextConstraints 2020-10-26 14:43:49 UTC
Red Hat Product Errata RHBA-2020:0581 None None None 2020-05-04 11:26:15 UTC

Description Abu Kashem 2020-01-20 22:39:35 UTC
We have moved SecurityContextConstraints type from openshift-apiserver into a CRD provided by cluster-config-operator. This way the CRD gets installed long before openshift-apiservrer is deployed.

But we have not moved the standard SCC manifest(s) in openshift-apiserver. We need to move these as well. A good place would be kube-apiservrer-operator.


How reproducible:
Always

Because the default SCC are not created early enough we see errors like the following:
I0114 20:56:27.810408       1 event.go:281] Event(v1.ObjectReference{Kind:"ReplicaSet", Namespace:"openshift-cluster-node-tuning-operator", Name:"cluster-node-tuning-operator-589fff797f", UID:"7bff9c12-2737-4ec3-993e-1c8e0526106b", APIVersion:"apps/v1", ResourceVersion:"938", FieldPath:""}): type: 'Warning' reason: 'FailedCreate' Error creating: pods "cluster-node-tuning-operator-589fff797f-" is forbidden: no SecurityContextConstraints found in cluster

Comment 1 Abu Kashem 2020-01-21 17:01:03 UTC
The default SCC created by openshift-apiserver [1] are also present in the manifests folder of the cluster-kube-apiserver-operator operator [2]. 
[1] https://github.com/openshift/openshift-apiserver/blob/master/pkg/bootstrappolicy/securitycontextconstraints.go#L52
[2] https://github.com/openshift/cluster-kube-apiserver-operator/tree/master/manifests (edited) 

After investigating we found out that CVO uses a protobuf client for `SecurityContextConstraints`.  
https://github.com/openshift/cluster-version-operator/blob/master/lib/resourcebuilder/security.go#L21. 

protobuf client does not work with CRD type. We have opened a pull request on cvo to resolve this
https://github.com/openshift/cluster-version-operator/pull/308

Comment 4 Abu Kashem 2020-01-23 16:23:10 UTC
reopening as we need to track it for back porting.

Comment 6 Xingxing Xia 2020-02-24 08:20:39 UTC
Moving to verified after bug 1794309#c7 and bug 1794309#c9 checked

Comment 8 errata-xmlrpc 2020-05-04 11:25:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581


Note You need to log in before you can comment on or make changes to this bug.