Description of problem: In OpenShift 4.3.14 we have reverted DefaultSecurityContextConstraints_Mutated. We removed the controller that sets Upgradeable to False if any default SCC has been mutated. But on an affected cluster (pre 4.3.14) that already has user-modified default SCCs the stale condition does not get removed after upgrade. Version-Release number of selected component (if applicable): OpenShift 4.3.14 How reproducible: Always Steps to Reproduce: 1. install ocp v4.3.13 2. trigger upgradeable=false by mutating default scc Change the default SCC $ oc patch scc privileged --type json -p '[{"op": "add", "path": "/users/-", "value": "e2e-user"}]' $ oc patch scc anyuid --type json -p '[{"op": "add", "path": "/users/-", "value": "e2e-user"}]' # ./oc get scc privileged -o json|jq .users [ "system:admin", "system:serviceaccount:openshift-infra:build-controller", "e2e-user" ] 3. With path 4.3.13-4.3.14 and do upgrade. $ oc adm upgrade --to=4.3.14 Updating to 4.3.14 $ oc get clusterversion version -o json|jq .status.conditions[-1] { "lastTransitionTime": "2020-04-23T04:07:33Z", "message": "Cluster operator kube-apiserver cannot be upgraded: DefaultSecurityContextConstraintsUpgradeable: Default SecurityContextConstraints object(s) have mutated [anyuid privileged]", "reason": "DefaultSecurityContextConstraints_Mutated", "status": "False", "type": "Upgradeable" } $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.3.14 True False 34m Cluster version is 4.3.14 Checking the changed the default SCC, still be there. $ oc get scc privileged -o json | jq .users [ "system:admin", "system:serviceaccount:openshift-infra:build-controller", "e2e-user" ] $ oc get scc anyuid -o json | jq .users [ "e2e-user" ] Actual results: $ oc get clusterversion version -o json|jq .status.conditions[-1] { "lastTransitionTime": "2020-04-23T04:07:33Z", "message": "Cluster operator kube-apiserver cannot be upgraded: DefaultSecurityContextConstraintsUpgradeable: Default SecurityContextConstraints object(s) have mutated [anyuid privileged]", "reason": "DefaultSecurityContextConstraints_Mutated", "status": "False", "type": "Upgradeable" } Expected results: "Upgradeable" condition of clusterversion/version should not have DefaultSecurityContextConstraints_Mutated. Additional info:
Hi xxia, This is not applicable to 4.5. The stale condition can make it to 4.4 if a user applies a force upgrade 4.3 -> 4.4. So we are going to provide a fix for both 4.3 and 4.4. Once qe verifies that it is impossible for stale condition to persist in 4.4 then this BZ can be moved to verified as well. Please do let me know if you have any concern with this.
Hi xxia, can you verify and then close this BZ? there was no change for 4.5. We pushed changes to 4.4 and 4.3 branches and the corresponding BZs have already been verified and closed.
The stale condition exists in 4.3, we have verified that when we do 4.3 -> 4.4 upgrade the stale condition do not persist. So no ripple effect on 4.5. Also, we are not going to cover a 4.3 -> 4.5 upgrade scenario. closing it.