Bug 1829328 - [sig-devex][Feature:ImageEcosystem][Slow] openshift images should be SCL enabled is forbidden: unable to validate against any security context constraint: []
Summary: [sig-devex][Feature:ImageEcosystem][Slow] openshift images should be SCL enab...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-controller-manager
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.3.z
Assignee: Maciej Szulik
QA Contact: zhou ying
URL:
Whiteboard:
Depends On: 1829327
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-29 12:00 UTC by Maciej Szulik
Modified: 2020-07-14 16:12 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of: 1829327
Environment:
Last Closed: 2020-07-14 16:11:52 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift cluster-policy-controller pull 26 None closed [release-4.3] Bug 1829328: use patch when updating namespace 2020-09-30 16:41:26 UTC
Github openshift openshift-apiserver pull 101 None closed [release-4.3] Bug 1829328: allow patch for updating namespace 2020-09-30 16:41:26 UTC
Red Hat Product Errata RHBA-2020:2872 None None None 2020-07-14 16:12:06 UTC

Comment 1 Maciej Szulik 2020-05-20 08:24:02 UTC
PRs in the queue.

Comment 2 Maciej Szulik 2020-06-18 09:56:04 UTC
This waiting to be merged in the queue.

Comment 5 zhou ying 2020-07-06 08:48:12 UTC
Confirmed with payload: 4.3.0-0.nightly-2020-07-04-055556, when create new project will see the audit logs from kube-apiserver:

sh-4.4# grep namespace-security-allocation-controller audit*|grep patch |grep zhouy
audit.log:{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"8a541723-c513-4f99-a052-f08388db7509","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/zhouy","verb":"patch","user":{"username":"system:serviceaccount:openshift-infra:namespace-security-allocation-controller","uid":"1afe739c-c212-478c-8ac7-cf7f8d8148f9","groups":["system:serviceaccounts","system:serviceaccounts:openshift-infra","system:authenticated"]},"sourceIPs":["::1"],"userAgent":"cluster-policy-controller/v0.0.0 (linux/amd64) kubernetes/$Format/system:serviceaccount:openshift-infra:namespace-security-allocation-controller","objectRef":{"resource":"namespaces","namespace":"zhouy","name":"zhouy","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2020-07-06T08:45:32.542309Z","stageTimestamp":"2020-07-06T08:45:32.549261Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:openshift:controller:namespace-security-allocation-controller\" of ClusterRole \"system:openshift:controller:namespace-security-allocation-controller\" to ServiceAccount \"namespace-security-allocation-controller/openshift-infra\""}}

Comment 7 errata-xmlrpc 2020-07-14 16:11:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2872


Note You need to log in before you can comment on or make changes to this bug.