Bug 1806568 - openshift-apiserver-operator should go upgradeable=false if SCC has changed
Summary: openshift-apiserver-operator should go upgradeable=false if SCC has changed
Keywords:
Status: CLOSED DUPLICATE of bug 1808602
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: openshift-apiserver
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.3.z
Assignee: Abu Kashem
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On: 1810596
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-24 14:40 UTC by David Eads
Modified: 2020-04-08 19:03 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1808602 1810596 (view as bug list)
Environment:
Last Closed: 2020-04-08 19:03:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 784 0 None closed Bug 1808602: kube-apiserver-operator should set upgradeable=false if default SCC mutates 2020-10-13 13:12:33 UTC

Description David Eads 2020-02-24 14:40:35 UTC 
In 4.4, the SCC is maintained by the CVO.  This means that the ratchet logic of "reconcile-scc" has been lost.  Overall this is good (we documented that nothing should change the bootstrap SCC), but practically, anyone who has changed needs to handle the situation before they upgrade and have the resources stomped.

We can make a change to 4.3.z which prevents upgrades (upgradeable=false) on fairly complicated predicates and provide links and help for dealing with the situation *before* it goes bad.
Comment 1 Xingxing Xia 2020-03-16 10:35:16 UTC 
This bug's above PR and title were same as bug 1808602. Dup?
Comment 2 Abu Kashem 2020-04-08 19:03:36 UTC 
Yes, closing it, since it's a dup of 1808602.

*** This bug has been marked as a duplicate of bug 1808602 ***
Note You need to log in before you can comment on or make changes to this bug.