Description of problem: CNV 2.3 adds 3 openshift-cnv users to privileged SecurityContextConstraints. These are not added in 2.4. When upgrading from 2.3 -> 2.4, the users are not removed. Version-Release number of selected component (if applicable): CNV 2.3.0 -> 2.4.0 upgrade How reproducible: 100% Steps to Reproduce: 1. CNV 2.3.0 -> 2.4.0 upgrade Actual results: oc get SecurityContextConstraints privileged -oyaml users: - system:admin - system:serviceaccount:openshift-infra:build-controller - system:serviceaccount:openshift-cnv:kubevirt-handler - system:serviceaccount:openshift-cnv:kubevirt-apiserver - system:serviceaccount:openshift-cnv:kubevirt-controller Expected results: Identical to 2.4: $ oc get SecurityContextConstraints privileged -oyaml users: - system:admin - system:serviceaccount:openshift-infra:build-controller Additional info:
I tend to think that the right place to remove them is virt-operator. Stu?
yes, if anything is responsible for removing our SAs from a SCC, it's virt-operator.
Aren't kubevirt-handler and kubevirt-controller still in use? Which component creates build-controller? virt-operator certainly never created anything by that name.
the new way of doing this is virt-operator creates SCCs specific for KubeVirt. we still need SCCS, just not to modify the default ones. the 2.3 entries on default SCC should have been removed. also, build-controller isn't related to us. it's supposed to be on the default scc.
Updating component to Virtualization.
PR submitted, waiting for code review
The PR got merged, is there anything else that is needed?
Just the QE to verify it on CNV 2.6 cluster
Verified 2.5.3 -> 2.6.0 upgrade. Added the following to SecurityContextConstraints privileged, under users: - system:serviceaccount:openshift-cnv:kubevirt-handler - system:serviceaccount:openshift-cnv:kubevirt-apiserver - system:serviceaccount:openshift-cnv:kubevirt-controller Before the upgrade: $ oc get SecurityContextConstraints privileged -oyaml |grep -A6 users f:users: {} manager: kubectl-edit operation: Update time: "2021-02-02T08:47:59Z" name: privileged resourceVersion: "894696" selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/privileged -- users: - system:admin - system:serviceaccount:openshift-infra:build-controller - system:serviceaccount:openshift-cnv:kubevirt-handler - system:serviceaccount:openshift-cnv:kubevirt-apiserver - system:serviceaccount:openshift-cnv:kubevirt-controller volumes: After the upgrade: $ oc get SecurityContextConstraints privileged -oyaml |grep -A6 users f:users: {} manager: virt-operator operation: Update time: "2021-02-03T13:45:23Z" name: privileged resourceVersion: "2200531" selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/privileged -- users: - system:admin - system:serviceaccount:openshift-infra:build-controller volumes: - '*'
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 2.6.0 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0799