Description of problem: Version-Release number of selected component (if applicable): As the initial issue described in Bug 1934400, after creating a new SCC with the option "defaultAllowPrivilegeEscalation: false", and restarting the openshift-oauth-apiserver pods, the pods failed to start and the CLI and UI are no longer available. How reproducible: - Always Steps to Reproduce: - Apply the Vulnerability-advisor-scc.yaml, and restart the openshift-oauth-apiserver pods ~~~ $ oc create -f ./vulnerability-advisor-scc.yaml $ oc patch replicaset.apps/apiserver-########## -n openshift-oauth-apiserver -p '{"spec": {"replicas": 0}}' ~~~ Actual results: Unable to connect anymore to the cluster, except with the original kubeconfig file ~~~ $ oc get all -n openshift-oauth-apiserver error: You must be logged in to the server (Unauthorized) $ oc --kubeconfig=./auth/kubeconfig get rs -n openshift-oauth-apiserver NAME DESIRED CURRENT READY AGE apiserver-869c49c599 3 0 0 74m ~~~ Expected results: No disruption with the openshift-oauth-apiserver pods Additional info: This is a duplicate BZ to address the issue with RHOCP4.7 Initial BZ 1934400, was already addressed, PR have been merged, but still waiting for the fix to be released.
It looks like the code has been merged in RHOCP 4.8, but should be backported to 4.6 and 4.7, as the openshift-oauth-apiserver has been introduced since 4.6.
*** Bug 1989060 has been marked as a duplicate of this bug. ***
The issue has only been fixed in 4.8. I created backports for 4.7 and 4.6.
sprint review: this issue is being worked on
@slaznick use the latest 4.7 nightly build 4.7.0-0.nightly-2021-08-31-232034 and follow https://bugzilla.redhat.com/show_bug.cgi?id=1967359#c1 for the verification, the issue still exists. seems the fix in pr https://github.com/openshift/apiserver-library-go/pull/58 is not bumped into release 4.7, Could you help to check?
Indeed, the dependency hasn't been bumped yet, I just created the PR. Sorry about the complications, it seems that there is no way to block the BZ from going to ON_QA when only a library PR merges...
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.29 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3303