Bug 1827335 - Remove stale condition DefaultSecurityContextConstraints_Mutated
Summary: Remove stale condition DefaultSecurityContextConstraints_Mutated
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.3.z
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 4.5.0
Assignee: Abu Kashem
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks: 1827336
TreeView+ depends on / blocked
 
Reported: 2020-04-23 16:49 UTC by Abu Kashem
Modified: 2020-05-20 17:05 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1827336 (view as bug list)
Environment:
Last Closed: 2020-05-20 17:05:51 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Abu Kashem 2020-04-23 16:49:08 UTC
Description of problem:
In OpenShift 4.3.14 we have reverted DefaultSecurityContextConstraints_Mutated. We removed the controller that sets Upgradeable to False if any default SCC has been mutated.

But on an affected cluster (pre 4.3.14) that already has user-modified default SCCs the stale condition does not get removed after upgrade.



Version-Release number of selected component (if applicable):
OpenShift 4.3.14

How reproducible:
Always

Steps to Reproduce:
1. install ocp v4.3.13
2. trigger upgradeable=false by mutating default scc
Change the default SCC 
$ oc patch scc privileged --type json -p '[{"op": "add", "path": "/users/-", "value": "e2e-user"}]'
$ oc patch scc anyuid --type json -p '[{"op": "add", "path": "/users/-", "value": "e2e-user"}]'
    
# ./oc get scc privileged -o json|jq .users
[
  "system:admin",
  "system:serviceaccount:openshift-infra:build-controller",
  "e2e-user"
]

3. With path 4.3.13-4.3.14 and do upgrade.
$ oc adm upgrade --to=4.3.14
Updating to 4.3.14

$ oc get clusterversion version -o json|jq .status.conditions[-1]
{
  "lastTransitionTime": "2020-04-23T04:07:33Z",
  "message": "Cluster operator kube-apiserver cannot be upgraded: DefaultSecurityContextConstraintsUpgradeable: Default SecurityContextConstraints object(s) have mutated [anyuid privileged]",
  "reason": "DefaultSecurityContextConstraints_Mutated",
  "status": "False",
  "type": "Upgradeable"
}

$ oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.3.14    True        False         34m     Cluster version is 4.3.14

Checking the changed the default SCC, still be there.

$ oc get scc privileged -o json | jq .users
[
  "system:admin",
  "system:serviceaccount:openshift-infra:build-controller",
  "e2e-user"
]

$ oc get scc anyuid -o json | jq .users
[
  "e2e-user"
]

Actual results:
$ oc get clusterversion version -o json|jq .status.conditions[-1]
{
  "lastTransitionTime": "2020-04-23T04:07:33Z",
  "message": "Cluster operator kube-apiserver cannot be upgraded: DefaultSecurityContextConstraintsUpgradeable: Default SecurityContextConstraints object(s) have mutated [anyuid privileged]",
  "reason": "DefaultSecurityContextConstraints_Mutated",
  "status": "False",
  "type": "Upgradeable"
}

Expected results:
"Upgradeable" condition of clusterversion/version should not have DefaultSecurityContextConstraints_Mutated.

Additional info:

Comment 1 Abu Kashem 2020-04-23 19:06:59 UTC
Hi xxia@redhat.com,
This is not applicable to 4.5. The stale condition can make it to 4.4 if a user applies a force upgrade 4.3 -> 4.4. So we are going to provide a fix for both 4.3 and 4.4.

Once qe verifies that it is impossible for stale condition to persist in 4.4 then this BZ can be moved to verified as well. Please do let me know if you have any concern with this.

Comment 2 Abu Kashem 2020-05-18 20:18:42 UTC
Hi xxia@redhat.com,
can you verify and then close this BZ? there was no change for 4.5. We pushed changes to 4.4 and 4.3 branches and the corresponding BZs have already been verified and closed.

Comment 3 Abu Kashem 2020-05-20 17:05:51 UTC
The stale condition exists in 4.3, we have verified that when we do 4.3 -> 4.4 upgrade the stale condition do not persist. So no ripple effect on 4.5. Also, we are not going to cover a 4.3 -> 4.5 upgrade scenario. closing it.


Note You need to log in before you can comment on or make changes to this bug.