Bug 1808602 - kube-apiserver operator should go upgradeable=false if SCC has changed
Summary: kube-apiserver operator should go upgradeable=false if SCC has changed
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.3.z
Assignee: Abu Kashem
QA Contact: Xingxing Xia
URL:
Whiteboard:
: 1806568 (view as bug list)
Depends On: 1794309
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-28 22:38 UTC by Abu Kashem
Modified: 2020-04-08 19:03 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1806568
Environment:
Last Closed: 2020-03-24 14:34:23 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 784 0 None closed Bug 1808602: kube-apiserver-operator should set upgradeable=false if default SCC mutates 2020-10-13 13:11:23 UTC
Red Hat Product Errata RHBA-2020:0858 0 None None None 2020-03-24 14:34:44 UTC

Internal Links: 1818893 1821447 1821448

Description Abu Kashem 2020-02-28 22:38:25 UTC
+++ This bug was initially created as a clone of Bug #1806568 +++

In 4.4, the SCC is maintained by the CVO.  This means that the ratchet logic of "reconcile-scc" has been lost.  Overall this is good (we documented that nothing should change the bootstrap SCC), but practically, anyone who has changed needs to handle the situation before they upgrade and have the resources stomped.

We can make a change to 4.3.z which prevents upgrades (upgradeable=false) on fairly complicated predicates and provide links and help for dealing with the situation *before* it goes bad.

Comment 3 Xingxing Xia 2020-03-16 10:33:49 UTC
Above PR is from cluster-kube-apiserver-operator instead of openshift-apiserver. The bug's title has typo.
Verified in 4.3.0-0.nightly-2020-03-15-112942:
$ oc edit scc # remove "- projected" under anyuid and restricted
Then found Upgradeable becomes False:
$ oc get co kube-apiserver -o json | jq -r '.status.conditions[] | select(.type == "Upgradeable")'
{
  "lastTransitionTime": "2020-03-16T10:31:07Z",
  "message": "DefaultSecurityContextConstraintsUpgradeable: Default SecurityContextConstraints object(s) have mutated [anyuid restricted]",
  "reason": "DefaultSecurityContextConstraints_Mutated",
  "status": "False",
  "type": "Upgradeable"
}

$ oc edit scc # add the removed stuff back
Then Upgradeable becomes True.

Comment 5 errata-xmlrpc 2020-03-24 14:34:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0858

Comment 6 Abu Kashem 2020-04-08 19:03:36 UTC
*** Bug 1806568 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.