1940781 – [4.6.z] Compliance operator pod fails with: Couldn't ensure directory","error":"mkdir /reports/0: permission denied"

Bug 1940781 - [4.6.z] Compliance operator pod fails with: Couldn't ensure directory","error":"mkdir /reports/0: permission denied"

Summary: [4.6.z] Compliance operator pod fails with: Couldn't ensure directory","error...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Compliance Operator
Sub Component:
Version:	4.6.z
Hardware:	All
OS:	Unspecified
Priority:	high
Severity:	urgent
Target Milestone:	---
Target Release:	4.6.z
Assignee:	Jakub Hrozek
QA Contact:	Prashant Dhamdhere
Docs Contact:
URL:
Whiteboard:
Depends On:	1919311 1940776
Blocks:
TreeView+	depends on / blocked

Reported:	2021-03-19 06:59 UTC by Prashant Dhamdhere
Modified:	2024-06-14 00:55 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1940776
Environment:
Last Closed:	2021-03-31 06:39:33 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2021:1008	0	None	None	None	2021-03-31 06:39:36 UTC

Comment 4 Prashant Dhamdhere 2021-03-22 13:26:04 UTC

[Bug Verification]


Looks good. Now, the operator uses a separate SA for resultserver that apply the restricted SCC 
on the resultserver pod and it does receive the IDs from the fsGroup option which fixes the 
permission issue.


Verified on:
4.6.0-0.nightly-2021-03-21-131139
compliance-operator.v0.1.29


$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2021-03-21-131139   True        False         10h     Cluster version is 4.6.0-0.nightly-2021-03-21-131139


$ oc get csv
NAME                          DISPLAY               VERSION   REPLACES   PHASE
compliance-operator.v0.1.29   Compliance Operator   0.1.29               Succeeded


$ oc get sub openshift-compliance-operator -o jsonpath='{.spec.channel}'
4.6


$ oc get pods
NAME                                              READY   STATUS    RESTARTS   AGE
compliance-operator-6db55ffc8d-m5klq              1/1     Running   0          5h52m
ocp4-openshift-compliance-pp-dbdccf4cc-r777l      1/1     Running   0          5h51m
rhcos4-openshift-compliance-pp-75476879b9-6vfm8   1/1     Running   0          5h51m


$ oc get role
NAME                                                            CREATED AT
compliance-operator.v0.1.29-api-resource-collector-65465ccd46   2021-03-22T07:26:16Z
compliance-operator.v0.1.29-compliance-operator-df6bf598        2021-03-22T07:26:18Z
compliance-operator.v0.1.29-profileparser-5694b55cd4            2021-03-22T07:26:17Z
compliance-operator.v0.1.29-remediation-aggregator-787cb7d6f5   2021-03-22T07:26:16Z
compliance-operator.v0.1.29-rerunner-75b5594c9d                 2021-03-22T07:26:17Z
compliance-operator.v0.1.29-resultscollector-85b496b448         2021-03-22T07:26:15Z
compliance-operator.v0.1.29-resultserver-68c5fb9dd6             2021-03-22T07:26:16Z


$ oc get role compliance-operator.v0.1.29-resultserver-68c5fb9dd6 -oyaml |tail
  uid: 2926c433-8aca-40d1-80ed-bd064c20d7eb
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - restricted
  resources:
  - securitycontextconstraints
  verbs:
  - use



$ oc get rolebinding compliance-operator.v0.1.29-resultserver-68c5fb9dd6 -oyaml |tail
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/openshift-compliance/rolebindings/compliance-operator.v0.1.29-resultserver-68c5fb9dd6
  uid: bac4b33c-dc12-426d-9709-ef9248d7655f
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: compliance-operator.v0.1.29-resultserver-68c5fb9dd6
subjects:
- kind: ServiceAccount
  name: resultserver
  namespace: openshift-compliance
[pdhamdhe@Prashant-X1-Carbon pdhamdhe-aws]$ oc get serviceaccount resultserver
NAME           SECRETS   AGE
resultserver   2         5h53m


$ oc get serviceaccount resultserver -oyaml|tail
    controller: false
    kind: ClusterServiceVersion
    name: compliance-operator.v0.1.29
    uid: 34f43980-9619-47b8-b762-3074a6aaa5e8
  resourceVersion: "108521"
  selfLink: /api/v1/namespaces/openshift-compliance/serviceaccounts/resultserver
  uid: 7a3fe618-7390-4b55-98ba-df6a99fea4b0
secrets:
- name: resultserver-token-6wdck
- name: resultserver-dockercfg-gbm8r


$ oc create -f -<< EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSetting
> metadata:
>   name: my-companys-constraints
> autoApplyRemediations: false
> schedule: "*/5 * * * *"
> rawResultStorage:
>   size: "2Gi"
>   rotation: 10
> roles:
>   - worker
>   - master
> EOF
scansetting.compliance.openshift.io/my-companys-constraints created


$ oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-companys-compliance-requirements
> profiles:
>   # Cluster checks
>   - name: ocp4-moderate
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: my-companys-constraints
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-companys-compliance-requirements created


$ oc get pods 
NAME                                              READY   STATUS      RESTARTS   AGE
compliance-operator-6db55ffc8d-m5klq              1/1     Running     0          5h55m
ocp4-moderate-api-checks-pod                      0/2     Completed   0          46s
ocp4-moderate-rs-7489fd7f5f-jtvj2                 1/1     Running     0          46s
ocp4-openshift-compliance-pp-dbdccf4cc-r777l      1/1     Running     0          5h54m
rhcos4-openshift-compliance-pp-75476879b9-6vfm8   1/1     Running     0          5h54m


$ oc get pods ocp4-moderate-rs-7489fd7f5f-jtvj2 -oyaml > 2.yaml


$ grep "openshift.io/scc" 2.yaml -B25
metadata:
  annotations:
    k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.129.2.254/23"],"mac_address":"0a:58:0a:81:02:fe","gateway_ips":["10.129.2.1"],"ip_address":"10.129.2.254/23","gateway_ip":"10.129.2.1"}}'
    k8s.v1.cni.cncf.io/network-status: |-
      [{
          "name": "",
          "interface": "eth0",
          "ips": [
              "10.129.2.254"
          ],
          "mac": "0a:58:0a:81:02:fe",
          "default": true,
          "dns": {}
      }]
    k8s.v1.cni.cncf.io/networks-status: |-
      [{
          "name": "",
          "interface": "eth0",
          "ips": [
              "10.129.2.254"
          ],
          "mac": "0a:58:0a:81:02:fe",
          "default": true,
          "dns": {}
      }]
    openshift.io/scc: restricted


$ grep "fsGroup:" 2.yaml  -3
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext:
    fsGroup: 1000600000
    seLinuxOptions:
      level: s0:c25,c0
  serviceAccount: resultserver


$ oc get suite
NAME                                  PHASE   RESULT
my-companys-compliance-requirements   DONE    NON-COMPLIANT

Comment 6 errata-xmlrpc 2021-03-31 06:39:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Compliance Operator version 0.1.29 for OpenShift 4.6), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1008

Note You need to log in before you can comment on or make changes to this bug.