Bug 1829327 - [sig-devex][Feature:ImageEcosystem][Slow] openshift images should be SCL enabled is forbidden: unable to validate against any security context constraint: []
Summary: [sig-devex][Feature:ImageEcosystem][Slow] openshift images should be SCL enab...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-controller-manager
Version: 4.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.4.z
Assignee: Maciej Szulik
QA Contact: zhou ying
Depends On: 1820687
Blocks: 1829328
TreeView+ depends on / blocked
Reported: 2020-04-29 11:59 UTC by Maciej Szulik
Modified: 2020-07-06 20:47 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of: 1820687
: 1829328 (view as bug list)
Last Closed: 2020-07-06 20:47:16 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-policy-controller pull 25 0 None closed [release-4.4] Bug 1829327: use patch when updating namespace 2020-11-03 10:13:02 UTC
Github openshift openshift-apiserver pull 100 0 None closed [release-4.4] Bug 1829327: allow patch for updating namespace 2020-11-03 10:13:02 UTC
Github openshift origin pull 25161 0 None closed [release-4.4] Bug 1829327: annotations exist, else forbidden: unable to validate 2020-11-03 10:13:02 UTC
Red Hat Product Errata RHBA-2020:2786 0 None None None 2020-07-06 20:47:33 UTC

Comment 1 Maciej Szulik 2020-05-20 08:24:14 UTC
PRs in the queue.

Comment 4 zhou ying 2020-06-15 06:16:50 UTC
Confirmed with payload: 4.4.0-0.nightly-2020-06-14-142924, when update project resource info, check the audit log, will see patch verb operation logs:

{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"3b0f1d39-6033-42fa-ac1c-54222d7c062b","stage":"ResponseComplete","requestURI":"/apis/project.openshift.io/v1/projects/zhouyt","verb":"patch","user":{"username":"system:admin","groups":["system:masters","system:authenticated"]},"sourceIPs":[""],"userAgent":"oc/4.6.0 (linux/amd64) kubernetes/f30826e","objectRef":{"resource":"projects","namespace":"zhouyt","name":"zhouyt","apiGroup":"project.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2020-06-15T06:14:06.908085Z","stageTimestamp":"2020-06-15T06:14:06.933318Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}

Comment 5 Maciej Szulik 2020-06-15 14:50:37 UTC
Ying Zhou you're looking for a patch event against a namespace, not a project.

Comment 8 Maciej Szulik 2020-06-18 17:22:03 UTC
oving this back to dev to merge test update.

Comment 12 zhou ying 2020-06-28 06:28:16 UTC
Maciej Szulik :

With payload :4.4.0-0.nightly-2020-06-27-171816, when I edit the project , I got the event like this : 
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"e0c20010-e75d-4599-abf3-bb2d40131f89","stage":"ResponseComplete","requestURI":"/apis/project.openshift.io/v1/projects/zhouyt2","verb":"patch","user":{"username":"testuser-2","groups":["system:authenticated:oauth","system:authenticated"],"extra":{"scopes.authorization.openshift.io":["user:full"]}},"sourceIPs":[""],"userAgent":"oc/4.4.0 (linux/amd64) kubernetes/d89e458","objectRef":{"resource":"projects","namespace":"zhouyt2","name":"zhouyt2","apiGroup":"project.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2020-06-28T06:18:14.151078Z","stageTimestamp":"2020-06-28T06:18:14.162907Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by RoleBinding \"admin/zhouyt2\" of ClusterRole \"admin\" to User \"testuser-2\""}}

The requestURI is /apis/project.openshift.io/v1/projects/zhouyt2, and the events is same as : https://bugzilla.redhat.com/show_bug.cgi?id=1829327#c4, could I verify this issue ?

Comment 13 Maciej Szulik 2020-06-29 14:37:02 UTC
Hmm.... that's not quite the event I'm expecting. I was hoping you'll see this particular changed reflected:

Which is the cluster-policy-controller invoking a patch against a namespace. I'm not saying this is not 
happening, but the above event is not showing that. It would be nice to look for that patch event.
What is important, it's not an update on a project, but creation of one. It's usually after a project is 
created the cluster-policy-controller will react on a newly created namespace and add openshift 
specific annotations related to security. That's the event you're looking for.

Comment 19 errata-xmlrpc 2020-07-06 20:47:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.