1829327 – [sig-devex][Feature:ImageEcosystem][Slow] openshift images should be SCL enabled is forbidden: unable to validate against any security context constraint: []

Bug 1829327 - [sig-devex][Feature:ImageEcosystem][Slow] openshift images should be SCL enabled is forbidden: unable to validate against any security context constraint: []

Summary: [sig-devex][Feature:ImageEcosystem][Slow] openshift images should be SCL enab...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	kube-controller-manager
Sub Component:
Version:	4.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.4.z
Assignee:	Maciej Szulik
QA Contact:	zhou ying
Docs Contact:
URL:
Whiteboard:
Depends On:	1820687
Blocks:	1829328
TreeView+	depends on / blocked

Reported:	2020-04-29 11:59 UTC by Maciej Szulik
Modified:	2020-07-06 20:47 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:	1820687
Clones:	1829328 (view as bug list)
Environment:
Last Closed:	2020-07-06 20:47:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift cluster-policy-controller pull 25	None	closed	[release-4.4] Bug 1829327: use patch when updating namespace	2020-11-03 10:13:02 UTC
Github	openshift openshift-apiserver pull 100	None	closed	[release-4.4] Bug 1829327: allow patch for updating namespace	2020-11-03 10:13:02 UTC
Github	openshift origin pull 25161	None	closed	[release-4.4] Bug 1829327: annotations exist, else forbidden: unable to validate	2020-11-03 10:13:02 UTC
Red Hat Product Errata	RHBA-2020:2786	None	None	None	2020-07-06 20:47:33 UTC

Comment 1 Maciej Szulik 2020-05-20 08:24:14 UTC

PRs in the queue.

Comment 4 zhou ying 2020-06-15 06:16:50 UTC

Confirmed with payload: 4.4.0-0.nightly-2020-06-14-142924, when update project resource info, check the audit log, will see patch verb operation logs:

{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"3b0f1d39-6033-42fa-ac1c-54222d7c062b","stage":"ResponseComplete","requestURI":"/apis/project.openshift.io/v1/projects/zhouyt","verb":"patch","user":{"username":"system:admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["10.0.52.222"],"userAgent":"oc/4.6.0 (linux/amd64) kubernetes/f30826e","objectRef":{"resource":"projects","namespace":"zhouyt","name":"zhouyt","apiGroup":"project.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2020-06-15T06:14:06.908085Z","stageTimestamp":"2020-06-15T06:14:06.933318Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}

Comment 5 Maciej Szulik 2020-06-15 14:50:37 UTC

Ying Zhou you're looking for a patch event against a namespace, not a project.

Comment 8 Maciej Szulik 2020-06-18 17:22:03 UTC

oving this back to dev to merge test update.

Comment 12 zhou ying 2020-06-28 06:28:16 UTC

Maciej Szulik :

With payload :4.4.0-0.nightly-2020-06-27-171816, when I edit the project , I got the event like this : 
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"e0c20010-e75d-4599-abf3-bb2d40131f89","stage":"ResponseComplete","requestURI":"/apis/project.openshift.io/v1/projects/zhouyt2","verb":"patch","user":{"username":"testuser-2","groups":["system:authenticated:oauth","system:authenticated"],"extra":{"scopes.authorization.openshift.io":["user:full"]}},"sourceIPs":["10.0.14.93"],"userAgent":"oc/4.4.0 (linux/amd64) kubernetes/d89e458","objectRef":{"resource":"projects","namespace":"zhouyt2","name":"zhouyt2","apiGroup":"project.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2020-06-28T06:18:14.151078Z","stageTimestamp":"2020-06-28T06:18:14.162907Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by RoleBinding \"admin/zhouyt2\" of ClusterRole \"admin\" to User \"testuser-2\""}}

The requestURI is /apis/project.openshift.io/v1/projects/zhouyt2, and the events is same as : https://bugzilla.redhat.com/show_bug.cgi?id=1829327#c4, could I verify this issue ?

Comment 13 Maciej Szulik 2020-06-29 14:37:02 UTC

Hmm.... that's not quite the event I'm expecting. I was hoping you'll see this particular changed reflected:
https://github.com/openshift/cluster-policy-controller/pull/25/files#diff-096504074ffe8ffa94008df02b53af83R207

Which is the cluster-policy-controller invoking a patch against a namespace. I'm not saying this is not 
happening, but the above event is not showing that. It would be nice to look for that patch event.
What is important, it's not an update on a project, but creation of one. It's usually after a project is 
created the cluster-policy-controller will react on a newly created namespace and add openshift 
specific annotations related to security. That's the event you're looking for.

Comment 19 errata-xmlrpc 2020-07-06 20:47:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2786

Note You need to log in before you can comment on or make changes to this bug.