Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1940776

Summary: Compliance operator pod fails with: Couldn't ensure directory","error":"mkdir /reports/0: permission denied"
Product: OpenShift Container Platform Reporter: Prashant Dhamdhere <pdhamdhe>
Component: Compliance OperatorAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Prashant Dhamdhere <pdhamdhe>
Severity: urgent Docs Contact:
Priority: high    
Version: 4.6.zCC: dahernan, jhrozek, josorior, mrogers, nkinder, nstielau, sbhavsar, xiyuan
Target Milestone: ---   
Target Release: 4.7.z   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1919311
: 1940781 (view as bug list) Environment:
Last Closed: 2021-03-31 21:50:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1919311    
Bug Blocks: 1940781    

Comment 3 Prashant Dhamdhere 2021-03-22 11:16:39 UTC 
[Bug Verification]

Looks good. Now, the operator uses a separate SA for resultserver that apply the restricted SCC 
on the resultserver pod and it does receive the IDs from the fsGroup option which fixes the 
permission issue.


Verified On:
4.7.0-0.nightly-2021-03-21-181832
compliance-operator.v0.1.29



# oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2021-03-21-181832   True        False         6h53m   Cluster version is 4.7.0-0.nightly-2021-03-21-181832


# oc get csv
NAME                          DISPLAY               VERSION   REPLACES   PHASE
compliance-operator.v0.1.29   Compliance Operator   0.1.29               Succeeded


# oc get sub openshift-compliance-operator47 -o jsonpath='{.spec.channel}'
4.7


# oc get pods
NAME                                              READY   STATUS    RESTARTS   AGE
compliance-operator-645b4c7cd9-7v9s8              1/1     Running   0          2m23s
ocp4-openshift-compliance-pp-7f7d5d98c5-g4j96     1/1     Running   0          95s
rhcos4-openshift-compliance-pp-5cdcf89b75-jbhxt   1/1     Running   0          96s


# oc get role
NAME                                                            CREATED AT
compliance-operator.v0.1.29                                     2021-03-22T10:35:31Z
compliance-operator.v0.1.29-api-resource-collector-65465ccd46   2021-03-22T10:35:36Z
compliance-operator.v0.1.29-compliance-operator-df6bf598        2021-03-22T10:35:36Z
compliance-operator.v0.1.29-profileparser-5694b55cd4            2021-03-22T10:35:36Z
compliance-operator.v0.1.29-remediation-aggregator-787cb7d6f5   2021-03-22T10:35:38Z
compliance-operator.v0.1.29-rerunner-75b5594c9d                 2021-03-22T10:35:36Z
compliance-operator.v0.1.29-resultscollector-85b496b448         2021-03-22T10:35:36Z
compliance-operator.v0.1.29-resultserver-68c5fb9dd6             2021-03-22T10:35:37Z


# oc get role compliance-operator.v0.1.29-resultserver-68c5fb9dd6 -oyaml |tail
  uid: 380e6ff8-325e-4681-b4fa-7224f8de4a02
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - restricted
  resources:
  - securitycontextconstraints
  verbs:
  - use


# oc get rolebinding compliance-operator.v0.1.29-resultserver-68c5fb9dd6 -oyaml |tail
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/openshift-compliance/rolebindings/compliance-operator.v0.1.29-resultserver-68c5fb9dd6
  uid: 76cb2174-5124-481b-ba95-7bb3af2e0695
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: compliance-operator.v0.1.29-resultserver-68c5fb9dd6
subjects:
- kind: ServiceAccount
  name: resultserver
  namespace: openshift-compliance


# oc get serviceaccount resultserver
NAME           SECRETS   AGE
resultserver   2         4m2s


# oc get serviceaccount resultserver -oyaml|tail
    controller: false
    kind: ClusterServiceVersion
    name: compliance-operator.v0.1.29
    uid: 2695b3a0-d9fd-401a-bffb-029f92743787
  resourceVersion: "169514"
  selfLink: /api/v1/namespaces/openshift-compliance/serviceaccounts/resultserver
  uid: 4198014e-20bb-42fe-91c5-8d7167662f2e
secrets:
- name: resultserver-dockercfg-bwcms
- name: resultserver-token-n4gdn


# oc create -f -<< EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSetting
> metadata:
>   name: my-companys-constraints
> autoApplyRemediations: false
> schedule: "*/5 * * * *"
> rawResultStorage:
>   size: "2Gi"
>   rotation: 10
> roles:
>   - worker
>   - master
> EOF
scansetting.compliance.openshift.io/my-companys-constraints created


# oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-companys-compliance-requirements
> profiles:
>   # Cluster checks
>   - name: ocp4-moderate
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: my-companys-constraints
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-companys-compliance-requirements created


# oc get pods 
NAME                                              READY   STATUS      RESTARTS   AGE
aggregator-pod-ocp4-moderate                      0/1     Init:0/1    0          1s
compliance-operator-645b4c7cd9-7v9s8              1/1     Running     0          9m34s
ocp4-moderate-api-checks-pod                      0/2     Completed   0          21s
ocp4-moderate-rs-64967c7798-rx7ll                 1/1     Running     0          21s
ocp4-openshift-compliance-pp-7f7d5d98c5-g4j96     1/1     Running     0          8m46s
rhcos4-openshift-compliance-pp-5cdcf89b75-jbhxt   1/1     Running     0          8m47s


# oc get pod ocp4-moderate-rs-64967c7798-rx7ll -oyaml > 2.yaml

# grep "openshift.io/scc" 2.yaml -B25
apiVersion: v1
kind: Pod
metadata:
  annotations:
    k8s.v1.cni.cncf.io/network-status: |-
      [{
          "name": "",
          "interface": "eth0",
          "ips": [
              "10.128.2.247"
          ],
          "default": true,
          "dns": {}
      }]
    k8s.v1.cni.cncf.io/networks-status: |-
      [{
          "name": "",
          "interface": "eth0",
          "ips": [
              "10.128.2.247"
          ],
          "default": true,
          "dns": {}
      }]
    openshift.io/scc: restricted


# grep "fsGroup:" 2.yaml  -3
        f:schedulerName: {}
        f:securityContext:
          .: {}
          f:fsGroup: {}
          f:seLinuxOptions:
            f:level: {}
        f:serviceAccount: {}
--
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext:
    fsGroup: 1000640000
    seLinuxOptions:
      level: s0:c25,c20
  serviceAccount: resultserver


# oc get suite
NAME                                  PHASE   RESULT
my-companys-compliance-requirements   DONE    NON-COMPLIANT
Comment 5 errata-xmlrpc 2021-03-31 21:50:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Compliance Operator version 0.1.29 for OpenShift Container Platform 4.7), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1022