Version: release-4.9 $ openshift-install version bin/openshift-install unreleased-master-4672-g2a0d2f4c36f5cebc2d516f6d834c294d6a593a7f-dirty built from commit 2a0d2f4c36f5cebc2d516f6d834c294d6a593a7f release image registry.ci.openshift.org/origin/release:4.8 Platform: kubevirt IPI What happened? `openshift-installer` sets the label `run-level: "1"` on the namespace `openshift-kubevirt-infra` [1]. [1] https://github.com/openshift/installer/blob/7c4226b0867a62d98956865f287959f91bb92707/data/data/manifests/bootkube/openshift-kubevirt-infra-namespace.yaml#L8 What did you expect to happen? This label is no longer required. Using the runlevel means that any pod specified in the ns will bypass SCC controls. It may have been required <4.6 due to the significant start times of components wait for the openshift-apiserver. But since 4.6 this delay has been all but removed. Also supporting this is the other relevant on-prem component namespaces: - https://github.com/openshift/machine-config-operator/pull/2627 - https://bugzilla.redhat.com/show_bug.cgi?id=1805488
>Recreated the issue using 4.9.0-0.nightly-2021-07-30-014522 and then verified the issue using 4.9.0-0.nightly-2021-08-04-025616. Mark as verified, thanks! [fedora@preserve-jiwei ~]$ mkdir work [fedora@preserve-jiwei ~]$ curl https://openshift-release-artifacts.apps.ci.l2s4.p1.openshiftapps.com/4.9.0-0.nightly-2021-07-30-014522/openshift-install-linux-4.9.0-0.night ly-2021-07-30-014522.tar.gz -o openshift-install-linux-4.9.0-0.nightly-2021-07-30-014522.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 99.4M 100 99.4M 0 0 152M 0 --:--:-- --:--:-- --:--:-- 152M [fedora@preserve-jiwei ~]$ tar zxvf openshift-install-linux-4.9.0-0.nightly-2021-07-30-014522.tar.gz README.md openshift-install [fedora@preserve-jiwei ~]$ openshift-install version >openshift-install 4.9.0-0.nightly-2021-07-30-014522 built from commit 8d54dd48ffefd14a77b2233d265be0ab1aa037e9 release image registry.ci.openshift.org/ocp/release@sha256:7588bf948aebfb1baa77a4a0a51041dd2c307b89567fc8ce71367a74143d9d02 [fedora@preserve-jiwei ~]$ openshift-install create install-config --dir=work ? SSH Public Key /home/fedora/.ssh/id_rsa.pub ? Platform gcp INFO Credentials loaded from file "/home/fedora/.gcp/osServiceAccount.json" ? Project ID OpenShift QE (openshift-qe) ? Region us-west1 ? Base Domain qe.gcp.devcluster.openshift.com ? Cluster Name jiwei-cluster13 ? Pull Secret [? for help] ***************************************************************************************************************************************************INFO Install-Config created in: work ******************************************************************* [fedora@preserve-jiwei ~]$ openshift-install create manifests --dir=work INFO Credentials loaded from file "/home/fedora/.gcp/osServiceAccount.json" INFO Consuming Install Config from target directory INFO Manifests created in: work/manifests and work/openshift [fedora@preserve-jiwei ~]$ ls work/manifests/ -l total 76 -rw-r-----. 1 fedora fedora 169 Aug 4 06:06 04-openshift-machine-config-operator.yaml -rw-r-----. 1 fedora fedora 175 Aug 4 06:06 cloud-controller-uid-config.yml -rw-r-----. 1 fedora fedora 518 Aug 4 06:06 cloud-provider-config.yaml -rw-r-----. 1 fedora fedora 971 Aug 4 06:06 cluster-config.yaml -rw-r-----. 1 fedora fedora 259 Aug 4 06:06 cluster-dns-02-config.yml -rw-r-----. 1 fedora fedora 651 Aug 4 06:06 cluster-infrastructure-02-config.yml -rw-r-----. 1 fedora fedora 181 Aug 4 06:06 cluster-ingress-02-config.yml -rw-r-----. 1 fedora fedora 7923 Aug 4 06:06 cluster-network-01-crd.yml -rw-r-----. 1 fedora fedora 272 Aug 4 06:06 cluster-network-02-config.yml -rw-r-----. 1 fedora fedora 142 Aug 4 06:06 cluster-proxy-01-config.yaml -rw-r-----. 1 fedora fedora 171 Aug 4 06:06 cluster-scheduler-02-config.yml -rw-r-----. 1 fedora fedora 199 Aug 4 06:06 cvo-overrides.yaml -rw-r-----. 1 fedora fedora 118 Aug 4 06:06 kube-cloud-config.yaml -rw-r-----. 1 fedora fedora 1304 Aug 4 06:06 kube-system-configmap-root-ca.yaml -rw-r-----. 1 fedora fedora 4086 Aug 4 06:06 machine-config-server-tls-secret.yaml -rw-r-----. 1 fedora fedora 4197 Aug 4 06:06 openshift-config-secret-pull-secret.yaml -rw-r-----. 1 fedora fedora 201 Aug 4 06:06 openshift-kubevirt-infra-namespace.yaml >[fedora@preserve-jiwei ~]$ cat work/manifests/openshift-kubevirt-infra-namespace.yaml apiVersion: v1 kind: Namespace metadata: name: openshift-kubevirt-infra annotations: openshift.io/node-selector: "" labels: > name: openshift-kubevirt-infra > openshift.io/run-level: "1" [fedora@preserve-jiwei ~]$ [fedora@preserve-jiwei ~]$ rm -f openshift-install-linux-4.9.0-0.nightly-2021-07-30-014522.tar.gz openshift-install [fedora@preserve-jiwei ~]$ mkdir work [fedora@preserve-jiwei ~]$ curl https://openshift-release-artifacts.apps.ci.l2s4.p1.openshiftapps.com/4.9.0-0.nightly-2021-08-04-025616/openshift-install-linux-4.9.0-0.nightly-2021-08-04-025616.tar.gz -o openshift-install-linux-4.9.0-0.nightly-2021-08-04-025616.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 99.4M 100 99.4M 0 0 139M 0 --:--:-- --:--:-- --:--:-- 139M [fedora@preserve-jiwei ~]$ tar zxvf openshift-install-linux-4.9.0-0.nightly-2021-08-04-025616.tar.gz README.md openshift-install [fedora@preserve-jiwei ~]$ openshift-install version >openshift-install 4.9.0-0.nightly-2021-08-04-025616 built from commit 4f3d8ba657cb9447f065a4e48b078be6376593e1 release image registry.ci.openshift.org/ocp/release@sha256:5583c60aae499629853d0f0a8be86a407cefb9689a6d0621192eebfba02448e6 [fedora@preserve-jiwei ~]$ openshift-install create install-config --dir=work ? SSH Public Key /home/fedora/.ssh/id_rsa.pub ? Platform gcp INFO Credentials loaded from file "/home/fedora/.gcp/osServiceAccount.json" ? Project ID OpenShift QE (openshift-qe) ? Region us-west1 ? Base Domain qe.gcp.devcluster.openshift.com ? Cluster Name jiwei-cluster13 ? Pull Secret [? for help] ***************************************************************************************************************************************************INFO Install-Config created in: work ******************************************************************* [fedora@preserve-jiwei ~]$ openshift-install create manifests --dir=work INFO Credentials loaded from file "/home/fedora/.gcp/osServiceAccount.json" INFO Consuming Install Config from target directory INFO Manifests created in: work/manifests and work/openshift [fedora@preserve-jiwei ~]$ ls work/manifests/ -l total 76 -rw-r-----. 1 fedora fedora 169 Aug 4 06:17 04-openshift-machine-config-operator.yaml -rw-r-----. 1 fedora fedora 175 Aug 4 06:17 cloud-controller-uid-config.yml -rw-r-----. 1 fedora fedora 518 Aug 4 06:17 cloud-provider-config.yaml -rw-r-----. 1 fedora fedora 971 Aug 4 06:17 cluster-config.yaml -rw-r-----. 1 fedora fedora 259 Aug 4 06:17 cluster-dns-02-config.yml -rw-r-----. 1 fedora fedora 651 Aug 4 06:17 cluster-infrastructure-02-config.yml -rw-r-----. 1 fedora fedora 181 Aug 4 06:17 cluster-ingress-02-config.yml -rw-r-----. 1 fedora fedora 7923 Aug 4 06:17 cluster-network-01-crd.yml -rw-r-----. 1 fedora fedora 272 Aug 4 06:17 cluster-network-02-config.yml -rw-r-----. 1 fedora fedora 142 Aug 4 06:17 cluster-proxy-01-config.yaml -rw-r-----. 1 fedora fedora 171 Aug 4 06:17 cluster-scheduler-02-config.yml -rw-r-----. 1 fedora fedora 199 Aug 4 06:17 cvo-overrides.yaml -rw-r-----. 1 fedora fedora 118 Aug 4 06:17 kube-cloud-config.yaml -rw-r-----. 1 fedora fedora 1304 Aug 4 06:17 kube-system-configmap-root-ca.yaml -rw-r-----. 1 fedora fedora 4086 Aug 4 06:17 machine-config-server-tls-secret.yaml -rw-r-----. 1 fedora fedora 4197 Aug 4 06:17 openshift-config-secret-pull-secret.yaml -rw-r-----. 1 fedora fedora 169 Aug 4 06:17 openshift-kubevirt-infra-namespace.yaml >[fedora@preserve-jiwei ~]$ cat work/manifests/openshift-kubevirt-infra-namespace.yaml apiVersion: v1 kind: Namespace metadata: name: openshift-kubevirt-infra annotations: openshift.io/node-selector: "" labels: > name: openshift-kubevirt-infra [fedora@preserve-jiwei ~]$
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759