Bug 1793587 - sccadmission plugin incorrectly reports "no SecurityContextConstraints found in xxx"
Summary: sccadmission plugin incorrectly reports "no SecurityContextConstraints found ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.3.z
Assignee: Luis Sanchez
QA Contact: Ke Wang
URL:
Whiteboard:
Depends On: 1792107
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-01-21 15:47 UTC by Luis Sanchez
Modified: 2020-02-25 06:18 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1792107
Environment:
Last Closed: 2020-02-25 06:17:59 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift apiserver-library-go pull 21 0 None closed [release-4.3] Bug 1793587: sccadmission plugin incorrectly reports "no SecurityContextConstraints found in xxx" 2020-06-15 18:12:24 UTC
Github openshift origin pull 24428 0 None closed [release-4.3] Bug 1793587: sccadmission plugin incorrectly reports "no SecurityContextConstraints found in xxx" 2020-06-15 18:12:25 UTC
Red Hat Product Errata RHBA-2020:0528 0 None None None 2020-02-25 06:18:15 UTC

Comment 2 Ke Wang 2020-02-18 09:54:23 UTC
Since we have comprehensive unit tests that exercise all these scenarios. Will verify this directly.
Verified with OCP build 4.3.0-0.nightly-2020-02-17-110952,

Related test code can cover the fix:
$ cd  ~
$ git clone https://github.com/openshift/apiserver-library-go.git# or git pull if already cloned
$ cd apiserver-library-go
$ git branch -a
$ git checkout -b remotes/origin/release-4.3
$ cd pkg/securitycontextconstraints/sccadmission
$ ls
admission.go  admission_test.go  intializers.go  scc_exec.go  scc_exec_test.go

$ go test -v -run Test*
=== RUN   TestFailClosedOnInvalidPod
--- PASS: TestFailClosedOnInvalidPod (0.00s)
=== RUN   TestAdmitCaps
--- PASS: TestAdmitCaps (0.00s)
=== RUN   TestAdmitSuccess
--- PASS: TestAdmitSuccess (0.00s)
=== RUN   TestAdmitFailure
--- PASS: TestAdmitFailure (0.00s)
=== RUN   TestCreateProvidersFromConstraints
--- PASS: TestCreateProvidersFromConstraints (0.00s)
=== RUN   TestMatchingSecurityContextConstraints
--- PASS: TestMatchingSecurityContextConstraints (0.00s)
=== RUN   TestAdmitWithPrioritizedSCC
--- PASS: TestAdmitWithPrioritizedSCC (0.00s)
=== RUN   TestAdmitSeccomp
--- PASS: TestAdmitSeccomp (0.00s)
=== RUN   TestAdmitPreferNonmutatingWhenPossible
--- PASS: TestAdmitPreferNonmutatingWhenPossible (0.00s)
=== RUN   TestExecAdmit
--- PASS: TestExecAdmit (0.00s)
    scc_exec_test.go:115: attach check: testing.GetActionImpl{ActionImpl:testing.ActionImpl{Namespace:"namespace", Verb:"get", Resource:schema.GroupVersionResource{Group:"", Version:"v1", Resource:"pods"}, Subresource:""}, Name:"pod-name"}
    scc_exec_test.go:115: exec check: testing.GetActionImpl{ActionImpl:testing.ActionImpl{Namespace:"namespace", Verb:"get", Resource:schema.GroupVersionResource{Group:"", Version:"v1", Resource:"pods"}, Subresource:""}, Name:"pod-name"}
PASS
ok  	github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccadmission	0.025s

We can see all related test cases have been passed.

Comment 4 errata-xmlrpc 2020-02-25 06:17:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0528


Note You need to log in before you can comment on or make changes to this bug.