Bug 1806917 - openshift-service-ca-operator: Some core components are in openshift.io/run-level 1 and are bypassing SCC, but should not be
Summary: openshift-service-ca-operator: Some core components are in openshift.io/run-l...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.4
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.7.0
Assignee: Standa Laznicka
QA Contact: scheng
URL:
Whiteboard:
Depends On:
Blocks: 1805488 1966621
TreeView+ depends on / blocked
 
Reported: 2020-02-25 10:07 UTC by Stefan Schimanski
Modified: 2021-06-01 14:15 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The namespace openshift-service-ca-operator was labelled with "openshift.io/run-level: 1". Consequence: The pods inside this namespace would run with extra privileges. Fix: Since the label is no longer necessary to avoid components' circular dependency, it was removed. Result: The service-ca-operator pods had their privileges scoped down in freshly-installed clusters. In the clusters that get upgraded to the version containing the fix, it should be safe to remove this label manually (and restart the affected pods).
Clone Of: 1805488
Environment:
Last Closed: 2021-02-24 15:10:53 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift service-ca-operator pull 109 0 None closed Bug 1806915: remove runlevel=1 from service-ca-operator owned namespaces 2021-02-11 14:25:34 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:11:46 UTC

Comment 2 Stefan Schimanski 2020-03-12 15:30:45 UTC 
Reopened and moved to 4.5.
Comment 3 Stefan Schimanski 2020-05-19 12:30:18 UTC 
No progress in 4.5 about this.
Comment 13 Standa Laznicka 2020-12-10 08:16:28 UTC 
the PR merged, yet the bot failed to post that fact, moving to modified manually
Comment 16 Standa Laznicka 2020-12-10 11:14:11 UTC 
The manifest we have got changed properly, yet CVO is not respecting the change when the annotation is supposed to be deleted during upgrade. Moving there.
Comment 18 W. Trevor King 2020-12-10 19:38:42 UTC 
Not obvious to me that this is a CVO bug.  I've opened [1] talking through the CVO behavior and floating some possible approaches, if folks want to kick those around.  Still need info from Standa, but now mostly for guidance about any non-CVO actors who could clear the label and about any timeline constraints for CVO-side changes if there are no available non-CVO actors.

[1]: https://issues.redhat.com/browse/OTA-330
Comment 19 W. Trevor King 2020-12-10 19:45:32 UTC 
I'm going to move this back to ON_QA and auth, and scope it down to "newly created clusters will no longer have openshift.io/run-level".  If folks feel like they want to turn OTA-330 into a CVO bug about labels not being removed on updates, that's ok with me, but that's orthogonal enough that I don't think we should recycle this bug to be about that.
Comment 24 errata-xmlrpc 2021-02-24 15:10:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633
Note You need to log in before you can comment on or make changes to this bug.