Description of problem: We see these pods running as root in our 4.6 cluster. We didn't see a reason why the operator needs to do that. - openshift-cluster-storage-operator/cluster-storage-operator To run in a financial services environment we need to explain why these are running as root or (preferably) change them if root is not required. Can you provide an explanation or change these as appropriate? Version-Release number of selected component (if applicable): $ oc version Client Version: 4.5.0-202005291417-9933eb9 Server Version: 4.6.9 Kubernetes Version: v1.19.0+7070803 How reproducible: Always Steps to Reproduce: 1. oc exec -n NS POD -- ps -e -o pid,uid,cmd 2. 3. Actual results: + oc exec -n openshift-cluster-storage-operator cluster-storage-operator-54c8c9567c-cl2bf -- ps -e -o pid,uid,cmd PID UID CMD 1 0 cluster-storage-operator start Expected results: UID is not 0 Master Log: Node Log (of failed PODs): PV Dump: PVC Dump: StorageClass Dump (if StorageClass used by PV/PVC): Additional info:
@jmcmeek.com, there's lot of other pods/containers that run as root in OCP, basically everything that runs as cluster-admin. Is cluster-storage-operator special in any way?
Nevermind, found the other BZs. From some reason, csi-snapshot-controller-operator was missing. PID UID CMD 1 0 /usr/bin/csi-snapshot-controller-operator start -v 5 --config=/var/run/configmaps/config/operator-config.yaml
Verified with: 4.7.0-0.nightly-2021-01-17-211555 $ oc -n openshift-cluster-storage-operator exec cluster-storage-operator-6fff87cc8c-rjjdj -- ps -e -o pid,uid,cmd PID UID CMD 1 10400 cluster-storage-operator start $ oc -n openshift-cluster-storage-operator exec csi-snapshot-controller-operator-65db554cff-4jg46 -- ps -e -o pid,uid,cmd PID UID CMD 1 10400 /usr/bin/csi-snapshot-controller-operator start -v 5 --config=/var/run/configmaps/config/operator-config.yaml
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633