Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1940781

Summary: [4.6.z] Compliance operator pod fails with: Couldn't ensure directory","error":"mkdir /reports/0: permission denied"
Product: OpenShift Container Platform Reporter: Prashant Dhamdhere <pdhamdhe>
Component: Compliance OperatorAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Prashant Dhamdhere <pdhamdhe>
Severity: urgent Docs Contact:
Priority: high    
Version: 4.6.zCC: dahernan, jhrozek, josorior, mrogers, nkinder, nstielau, sbhavsar, xiyuan
Target Milestone: ---   
Target Release: 4.6.z   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1940776 Environment:
Last Closed: 2021-03-31 06:39:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1919311, 1940776    
Bug Blocks:    

Comment 4 Prashant Dhamdhere 2021-03-22 13:26:04 UTC 
[Bug Verification]


Looks good. Now, the operator uses a separate SA for resultserver that apply the restricted SCC 
on the resultserver pod and it does receive the IDs from the fsGroup option which fixes the 
permission issue.


Verified on:
4.6.0-0.nightly-2021-03-21-131139
compliance-operator.v0.1.29


$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2021-03-21-131139   True        False         10h     Cluster version is 4.6.0-0.nightly-2021-03-21-131139


$ oc get csv
NAME                          DISPLAY               VERSION   REPLACES   PHASE
compliance-operator.v0.1.29   Compliance Operator   0.1.29               Succeeded


$ oc get sub openshift-compliance-operator -o jsonpath='{.spec.channel}'
4.6


$ oc get pods
NAME                                              READY   STATUS    RESTARTS   AGE
compliance-operator-6db55ffc8d-m5klq              1/1     Running   0          5h52m
ocp4-openshift-compliance-pp-dbdccf4cc-r777l      1/1     Running   0          5h51m
rhcos4-openshift-compliance-pp-75476879b9-6vfm8   1/1     Running   0          5h51m


$ oc get role
NAME                                                            CREATED AT
compliance-operator.v0.1.29-api-resource-collector-65465ccd46   2021-03-22T07:26:16Z
compliance-operator.v0.1.29-compliance-operator-df6bf598        2021-03-22T07:26:18Z
compliance-operator.v0.1.29-profileparser-5694b55cd4            2021-03-22T07:26:17Z
compliance-operator.v0.1.29-remediation-aggregator-787cb7d6f5   2021-03-22T07:26:16Z
compliance-operator.v0.1.29-rerunner-75b5594c9d                 2021-03-22T07:26:17Z
compliance-operator.v0.1.29-resultscollector-85b496b448         2021-03-22T07:26:15Z
compliance-operator.v0.1.29-resultserver-68c5fb9dd6             2021-03-22T07:26:16Z


$ oc get role compliance-operator.v0.1.29-resultserver-68c5fb9dd6 -oyaml |tail
  uid: 2926c433-8aca-40d1-80ed-bd064c20d7eb
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - restricted
  resources:
  - securitycontextconstraints
  verbs:
  - use



$ oc get rolebinding compliance-operator.v0.1.29-resultserver-68c5fb9dd6 -oyaml |tail
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/openshift-compliance/rolebindings/compliance-operator.v0.1.29-resultserver-68c5fb9dd6
  uid: bac4b33c-dc12-426d-9709-ef9248d7655f
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: compliance-operator.v0.1.29-resultserver-68c5fb9dd6
subjects:
- kind: ServiceAccount
  name: resultserver
  namespace: openshift-compliance
[pdhamdhe@Prashant-X1-Carbon pdhamdhe-aws]$ oc get serviceaccount resultserver
NAME           SECRETS   AGE
resultserver   2         5h53m


$ oc get serviceaccount resultserver -oyaml|tail
    controller: false
    kind: ClusterServiceVersion
    name: compliance-operator.v0.1.29
    uid: 34f43980-9619-47b8-b762-3074a6aaa5e8
  resourceVersion: "108521"
  selfLink: /api/v1/namespaces/openshift-compliance/serviceaccounts/resultserver
  uid: 7a3fe618-7390-4b55-98ba-df6a99fea4b0
secrets:
- name: resultserver-token-6wdck
- name: resultserver-dockercfg-gbm8r


$ oc create -f -<< EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSetting
> metadata:
>   name: my-companys-constraints
> autoApplyRemediations: false
> schedule: "*/5 * * * *"
> rawResultStorage:
>   size: "2Gi"
>   rotation: 10
> roles:
>   - worker
>   - master
> EOF
scansetting.compliance.openshift.io/my-companys-constraints created


$ oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-companys-compliance-requirements
> profiles:
>   # Cluster checks
>   - name: ocp4-moderate
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: my-companys-constraints
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-companys-compliance-requirements created


$ oc get pods 
NAME                                              READY   STATUS      RESTARTS   AGE
compliance-operator-6db55ffc8d-m5klq              1/1     Running     0          5h55m
ocp4-moderate-api-checks-pod                      0/2     Completed   0          46s
ocp4-moderate-rs-7489fd7f5f-jtvj2                 1/1     Running     0          46s
ocp4-openshift-compliance-pp-dbdccf4cc-r777l      1/1     Running     0          5h54m
rhcos4-openshift-compliance-pp-75476879b9-6vfm8   1/1     Running     0          5h54m


$ oc get pods ocp4-moderate-rs-7489fd7f5f-jtvj2 -oyaml > 2.yaml


$ grep "openshift.io/scc" 2.yaml -B25
metadata:
  annotations:
    k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.129.2.254/23"],"mac_address":"0a:58:0a:81:02:fe","gateway_ips":["10.129.2.1"],"ip_address":"10.129.2.254/23","gateway_ip":"10.129.2.1"}}'
    k8s.v1.cni.cncf.io/network-status: |-
      [{
          "name": "",
          "interface": "eth0",
          "ips": [
              "10.129.2.254"
          ],
          "mac": "0a:58:0a:81:02:fe",
          "default": true,
          "dns": {}
      }]
    k8s.v1.cni.cncf.io/networks-status: |-
      [{
          "name": "",
          "interface": "eth0",
          "ips": [
              "10.129.2.254"
          ],
          "mac": "0a:58:0a:81:02:fe",
          "default": true,
          "dns": {}
      }]
    openshift.io/scc: restricted


$ grep "fsGroup:" 2.yaml  -3
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext:
    fsGroup: 1000600000
    seLinuxOptions:
      level: s0:c25,c0
  serviceAccount: resultserver


$ oc get suite
NAME                                  PHASE   RESULT
my-companys-compliance-requirements   DONE    NON-COMPLIANT
Comment 6 errata-xmlrpc 2021-03-31 06:39:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Compliance Operator version 0.1.29 for OpenShift 4.6), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1008