Description of problem: CDI operator is modifying out of the box SCC instead of creating a new one Version-Release number of selected component (if applicable): 2.3 How reproducible: 100 Steps to Reproduce: 1. 2. 3. Actual results: CDI operator is modifying out of the box SCC instead of creating a new one Expected results: CDI operator should create his own SCCs Additional info:
Michael, if we attach the pr into bug, then you can change it to POST status.
Michael, can you please help with the verification steps?
1. Verify that "anyuid" SCC does not contain user "system:serviceaccount:<install namespace>:cdi-sa" 2 Verify that "containerized-data-importer" SCC exists 3. Verify that "containerized-data-importer" SCC contains user "system:serviceaccount:<install namespace>:cdi-sa" This should be the case for fresh installs as well as upgrades to latest version.
May want to also verify that if the "containerized-data-importer" SCC is deleted, it will get recreated.
On a fresh install this is verified. Now awaiting results of an upgrade before moving to verified. Checked with the following code: ----------------------------------------- oc version Client Version: 4.4.0-0.nightly-2020-02-17-022408 Server Version: 4.4.0-rc.8 Kubernetes Version: v1.17.1 oc get csv --all-namespaces NAMESPACE NAME DISPLAY VERSION REPLACES PHASE openshift-cnv kubevirt-hyperconverged-operator.v2.3.0 Container-native virtualization 2.3.0 Succeeded openshift-operator-lifecycle-manager packageserver Package Server 0.14.2 Succeeded A fresh install has the following scc's: ----------------------------------------- NAME AGE anyuid 28h bridge-marker 27h containerized-data-importer 27h hostaccess 28h hostmount-anyuid 28h hostnetwork 28h hostpath-provisioner 27h kubevirt-controller 27h kubevirt-handler 27h linux-bridge 27h nmstate 27h node-exporter 28h nonroot 28h ovs-cni-marker 27h privileged 28h restricted 28h oc get scc anyuid -oyaml allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: false allowedCapabilities: null apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: RunAsAny groups: - system:cluster-admins kind: SecurityContextConstraints metadata: annotations: kubernetes.io/description: anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID. creationTimestamp: "2020-04-21T10:00:19Z" generation: 1 name: anyuid resourceVersion: "552" selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/anyuid uid: 5863522b-e96a-4362-b9f7-20a23562ba19 priority: 10 readOnlyRootFilesystem: false requiredDropCapabilities: - MKNOD runAsUser: type: RunAsAny seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: [] volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - projected - secret oc get scc containerized-data-importer -oyaml allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: false allowedCapabilities: null apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: RunAsAny groups: [] kind: SecurityContextConstraints metadata: creationTimestamp: "2020-04-21T10:48:59Z" generation: 1 labels: cdi.kubevirt.io: "" name: containerized-data-importer ownerReferences: - apiVersion: cdi.kubevirt.io/v1alpha1 blockOwnerDeletion: true controller: true kind: CDI name: cdi-kubevirt-hyperconverged uid: 0f553a07-07d5-4ad0-b6bd-72f9b79ae5cd resourceVersion: "31921" selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/containerized-data-importer uid: b17c9de6-72fa-450c-bf84-be41ca602d16 priority: 10 readOnlyRootFilesystem: false requiredDropCapabilities: - MKNOD runAsUser: type: RunAsAny seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: - system:serviceaccount:openshift-cnv:cdi-sa volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - projected - secret [cloud-user@ocp-psi-executor kev]$ oc get version error: the server doesn't have a resource type "version" [cloud-user@ocp-psi-executor kev]$ oc version Client Version: 4.4.0-0.nightly-2020-02-17-022408 Server Version: 4.4.0-rc.8 Kubernetes Version: v1.17.1
Hey, this happens to me too on ocp-4.3-cnv-2.3 environment. (that I'm trying to upgrade to ocp-4.4-cnv-2.3) virt-cdi-operator-container version is: v2.3.0-41
This is the result after upgrade from ocp4.3 cnv2.2 to ocp4.4 cnv2.3. ------------------------------------------------------------------- Michael, can you verify that the results from comment 5 and 7 satisfies the conditions required to verify this bz? oc get scc NAME AGE anyuid 30h bridge-marker 29h containerized-data-importer 3h37m hostaccess 30h hostmount-anyuid 30h hostnetwork 30h hostpath-provisioner 29h kubevirt-controller 29h kubevirt-handler 29h linux-bridge 29h nmstate 29h node-exporter 30h nonroot 30h ovs-cni-marker 29h privileged 30h restricted 30h [cnv-qe-jenkins@cnv-executor-ginger2 ~]$ oc get scc anyuid -oyaml allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: false allowedCapabilities: null apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: RunAsAny groups: - system:cluster-admins kind: SecurityContextConstraints metadata: annotations: kubernetes.io/description: anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID. creationTimestamp: "2020-04-22T11:18:12Z" generation: 3 name: anyuid resourceVersion: "705209" selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/anyuid uid: a5e8b165-6385-401f-a424-feed13c825a1 priority: 10 readOnlyRootFilesystem: false requiredDropCapabilities: - MKNOD runAsUser: type: RunAsAny seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: [] volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - projected - secret [cnv-qe-jenkins@cnv-executor-ginger2 ~]$ oc get scc containerized-data-importer -oyaml allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: false allowedCapabilities: null apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: RunAsAny groups: [] kind: SecurityContextConstraints metadata: creationTimestamp: "2020-04-23T13:50:03Z" generation: 3 labels: cdi.kubevirt.io: "" name: containerized-data-importer ownerReferences: - apiVersion: cdi.kubevirt.io/v1alpha1 blockOwnerDeletion: true controller: true kind: CDI name: cdi-kubevirt-hyperconverged uid: aae92142-03dc-47f7-b047-cf02afce2809 resourceVersion: "705759" selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/containerized-data-importer uid: bcd990f8-67d7-4876-805d-788d423cf783 priority: 10 readOnlyRootFilesystem: false requiredDropCapabilities: - MKNOD runAsUser: type: RunAsAny seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: - system:serviceaccount:openshift-cnv:cdi-sa volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - projected - secret [cnv-qe-jenkins@cnv-executor-ginger2 ~]$ oc version Client Version: 4.3.10 Server Version: 4.4.0-rc.8 Kubernetes Version: v1.17.1
Verified deleting the containerized-data-importer and it was recreated. So all Michael's comments in comments 3 and 4 have been satisfied. Moving to VERIFIED! [cnv-qe-jenkins@cnv-executor-ginger2 ~]$ export KUBECONFIG="/home/cnv-qe-jenkins/oc4/working/auth/kubeconfig" [cnv-qe-jenkins@cnv-executor-ginger2 ~]$ oc get scc NAME AGE anyuid 4d21h bridge-marker 4d20h containerized-data-importer 3d18h hostaccess 4d21h hostmount-anyuid 4d21h hostnetwork 4d21h hostpath-provisioner 4d20h kubevirt-controller 4d20h kubevirt-handler 4d20h linux-bridge 4d20h nmstate 4d20h node-exporter 4d20h nonroot 4d21h ovs-cni-marker 4d20h privileged 4d21h restricted 4d21h [cnv-qe-jenkins@cnv-executor-ginger2 ~]$ oc delete scc containerized-data-importer securitycontextconstraints.security.openshift.io "containerized-data-importer" deleted [cnv-qe-jenkins@cnv-executor-ginger2 ~]$ oc get scc NAME AGE anyuid 4d21h bridge-marker 4d20h containerized-data-importer 3s hostaccess 4d21h hostmount-anyuid 4d21h hostnetwork 4d21h hostpath-provisioner 4d20h kubevirt-controller 4d20h kubevirt-handler 4d20h linux-bridge 4d20h nmstate 4d20h node-exporter 4d20h nonroot 4d21h ovs-cni-marker 4d20h privileged 4d21h restricted 4d21h Moving to VERIFIED
clearing needinfo