1823704 – CDI operator is modifying SCC instead of creating a new one

Bug 1823704 - CDI operator is modifying SCC instead of creating a new one

Summary: CDI operator is modifying SCC instead of creating a new one

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	Storage
Sub Component:
Version:	2.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	2.3.0
Assignee:	Michael Henriksen
QA Contact:	Kevin Alon Goldblatt
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-04-14 10:18 UTC by Nelly Credi
Modified:	2020-05-06 11:14 UTC (History)
CC List:	5 users (show)
Fixed In Version:	hco-bundle-registry-container-v2.3.0-127 virt-cdi-operator-container-v2.3.0-41
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-05-06 11:14:26 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	kubevirt containerized-data-importer pull 1174	0	None	closed	use dedicated SCC	2021-01-12 08:40:24 UTC
Github	kubevirt containerized-data-importer pull 1177	0	None	closed	Cherrypick #1174 (use dedicated SCC)	2021-01-12 08:41:02 UTC

Description Nelly Credi 2020-04-14 10:18:26 UTC

Description of problem:
CDI operator is modifying out of the box SCC instead of creating a new one

Version-Release number of selected component (if applicable):
2.3

How reproducible:
100

Steps to Reproduce:
1.
2.
3.

Actual results:
CDI operator is modifying out of the box SCC instead of creating a new one

Expected results:
CDI operator should create his own SCCs

Additional info:

Comment 1 Ying Cui 2020-04-15 12:21:18 UTC

Michael, if we attach the pr into bug, then you can change it to POST status.

Comment 2 Natalie Gavrielov 2020-04-22 12:19:27 UTC

Michael, can you please help with the verification steps?

Comment 3 Michael Henriksen 2020-04-22 12:42:46 UTC

1. Verify that "anyuid" SCC does not contain user "system:serviceaccount:<install namespace>:cdi-sa"
2  Verify that "containerized-data-importer" SCC exists
3. Verify that "containerized-data-importer" SCC contains user "system:serviceaccount:<install namespace>:cdi-sa"


This should be the case for fresh installs as well as upgrades to latest version.

Comment 4 Michael Henriksen 2020-04-22 12:51:21 UTC

May want to also verify that if the "containerized-data-importer" SCC is deleted, it will get recreated.

Comment 5 Kevin Alon Goldblatt 2020-04-22 14:50:30 UTC

On a fresh install this is verified. Now awaiting results of an upgrade before moving to verified. 

Checked with the following code:
-----------------------------------------
oc version
Client Version: 4.4.0-0.nightly-2020-02-17-022408
Server Version: 4.4.0-rc.8
Kubernetes Version: v1.17.1


oc get csv --all-namespaces
NAMESPACE                              NAME                                      DISPLAY                           VERSION   REPLACES   PHASE
openshift-cnv                          kubevirt-hyperconverged-operator.v2.3.0   Container-native virtualization   2.3.0                Succeeded
openshift-operator-lifecycle-manager   packageserver                             Package Server                    0.14.2               Succeeded



A fresh install has the following scc's:
-----------------------------------------
NAME                          AGE
anyuid                        28h
bridge-marker                 27h
containerized-data-importer   27h
hostaccess                    28h
hostmount-anyuid              28h
hostnetwork                   28h
hostpath-provisioner          27h
kubevirt-controller           27h
kubevirt-handler              27h
linux-bridge                  27h
nmstate                       27h
node-exporter                 28h
nonroot                       28h
ovs-cni-marker                27h
privileged                    28h
restricted                    28h



oc get scc anyuid -oyaml
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups:
- system:cluster-admins
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: anyuid provides all features of the restricted SCC
      but allows users to run with any UID and any GID.
  creationTimestamp: "2020-04-21T10:00:19Z"
  generation: 1
  name: anyuid
  resourceVersion: "552"
  selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/anyuid
  uid: 5863522b-e96a-4362-b9f7-20a23562ba19
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret



oc get scc containerized-data-importer -oyaml
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
  creationTimestamp: "2020-04-21T10:48:59Z"
  generation: 1
  labels:
    cdi.kubevirt.io: ""
  name: containerized-data-importer
  ownerReferences:
  - apiVersion: cdi.kubevirt.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: CDI
    name: cdi-kubevirt-hyperconverged
    uid: 0f553a07-07d5-4ad0-b6bd-72f9b79ae5cd
  resourceVersion: "31921"
  selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/containerized-data-importer
  uid: b17c9de6-72fa-450c-bf84-be41ca602d16
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:openshift-cnv:cdi-sa
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
[cloud-user@ocp-psi-executor kev]$  oc get version
error: the server doesn't have a resource type "version"
[cloud-user@ocp-psi-executor kev]$ oc version
Client Version: 4.4.0-0.nightly-2020-02-17-022408
Server Version: 4.4.0-rc.8
Kubernetes Version: v1.17.1

Comment 6 Guy Inger 2020-04-22 15:12:30 UTC

Hey, this happens to me too on ocp-4.3-cnv-2.3 environment. (that I'm trying to upgrade to ocp-4.4-cnv-2.3)
virt-cdi-operator-container version is: v2.3.0-41

Comment 7 Kevin Alon Goldblatt 2020-04-26 09:14:17 UTC

This is the result after upgrade from ocp4.3 cnv2.2 to ocp4.4 cnv2.3. 
-------------------------------------------------------------------

Michael, can you verify that the results from comment 5 and 7 satisfies the conditions required to verify this bz?

 oc get scc
NAME                          AGE
anyuid                        30h
bridge-marker                 29h
containerized-data-importer   3h37m
hostaccess                    30h
hostmount-anyuid              30h
hostnetwork                   30h
hostpath-provisioner          29h
kubevirt-controller           29h
kubevirt-handler              29h
linux-bridge                  29h
nmstate                       29h
node-exporter                 30h
nonroot                       30h
ovs-cni-marker                29h
privileged                    30h
restricted                    30h



[cnv-qe-jenkins@cnv-executor-ginger2 ~]$ oc get scc anyuid -oyaml
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups:
- system:cluster-admins
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: anyuid provides all features of the restricted SCC
      but allows users to run with any UID and any GID.
  creationTimestamp: "2020-04-22T11:18:12Z"
  generation: 3
  name: anyuid
  resourceVersion: "705209"
  selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/anyuid
  uid: a5e8b165-6385-401f-a424-feed13c825a1
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret



[cnv-qe-jenkins@cnv-executor-ginger2 ~]$ oc get scc containerized-data-importer -oyaml
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
  creationTimestamp: "2020-04-23T13:50:03Z"
  generation: 3
  labels:
    cdi.kubevirt.io: ""
  name: containerized-data-importer
  ownerReferences:
  - apiVersion: cdi.kubevirt.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: CDI
    name: cdi-kubevirt-hyperconverged
    uid: aae92142-03dc-47f7-b047-cf02afce2809
  resourceVersion: "705759"
  selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/containerized-data-importer
  uid: bcd990f8-67d7-4876-805d-788d423cf783
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:openshift-cnv:cdi-sa
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
[cnv-qe-jenkins@cnv-executor-ginger2 ~]$ oc version
Client Version: 4.3.10
Server Version: 4.4.0-rc.8
Kubernetes Version: v1.17.1

Comment 8 Kevin Alon Goldblatt 2020-04-27 08:24:34 UTC

Verified deleting the containerized-data-importer and it was recreated.

So all Michael's comments in comments 3 and 4 have been satisfied. Moving to VERIFIED!

[cnv-qe-jenkins@cnv-executor-ginger2 ~]$  export KUBECONFIG="/home/cnv-qe-jenkins/oc4/working/auth/kubeconfig"
[cnv-qe-jenkins@cnv-executor-ginger2 ~]$ oc get scc
NAME                          AGE
anyuid                        4d21h
bridge-marker                 4d20h
containerized-data-importer   3d18h
hostaccess                    4d21h
hostmount-anyuid              4d21h
hostnetwork                   4d21h
hostpath-provisioner          4d20h
kubevirt-controller           4d20h
kubevirt-handler              4d20h
linux-bridge                  4d20h
nmstate                       4d20h
node-exporter                 4d20h
nonroot                       4d21h
ovs-cni-marker                4d20h
privileged                    4d21h
restricted                    4d21h
[cnv-qe-jenkins@cnv-executor-ginger2 ~]$ oc delete scc containerized-data-importer
securitycontextconstraints.security.openshift.io "containerized-data-importer" deleted
[cnv-qe-jenkins@cnv-executor-ginger2 ~]$ oc get scc
NAME                          AGE
anyuid                        4d21h
bridge-marker                 4d20h
containerized-data-importer   3s
hostaccess                    4d21h
hostmount-anyuid              4d21h
hostnetwork                   4d21h
hostpath-provisioner          4d20h
kubevirt-controller           4d20h
kubevirt-handler              4d20h
linux-bridge                  4d20h
nmstate                       4d20h
node-exporter                 4d20h
nonroot                       4d21h
ovs-cni-marker                4d20h
privileged                    4d21h
restricted                    4d21h


 Moving to VERIFIED

Comment 9 Michael Henriksen 2020-05-01 12:25:53 UTC

clearing needinfo

Note You need to log in before you can comment on or make changes to this bug.