2108631 – Upgrade between 4.10 versions fails if cluster has custom SCCs

Bug 2108631 - Upgrade between 4.10 versions fails if cluster has custom SCCs

Summary: Upgrade between 4.10 versions fails if cluster has custom SCCs

Keywords:
Status:	CLOSED DUPLICATE of bug 2110590
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Cluster Version Operator
Sub Component:
Version:	4.10
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Over the Air Updates
QA Contact:	liujia
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-07-19 14:40 UTC by Palash Khaire
Modified:	2022-07-27 13:04 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-07-27 13:04:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Palash Khaire 2022-07-19 14:40:01 UTC

Description of problem: Upgrade between 4.10 versions fails if the cluster has custom SCCs

Version-Release number of the following components:


How reproducible: Add an additional SCC with `privileged` set to true:
```
NAME                      PRIV   CAPS   SELINUX     RUNASUSER   FSGROUP     SUPGROUP   PRIORITY     READONLYROOTFS   VOLUMES
syn-cluster-backup-etcd   true   []     MustRunAs   RunAsAny    MustRunAs   RunAsAny   <no value>   true             ["configMap","downwardAPI","emptyDir","hostPath","projected","secret"]
```

Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results: The cluster-version-operator should explicitly set `readOnlyRootFilesystem: false` or the upgrade script must tolerate readOnlyRootFilesystem.

https://github.com/openshift/cluster-version-operator/blob/cb3a00c9f5e2ca00f24f9664b7e7cfbe0807748e/pkg/cvo/updatepayload.go#L183

~~~
 container.SecurityContext = &corev1.SecurityContext{
        Privileged:             pointer.BoolPtr(true),
        ReadOnlyRootFilesystem: pointer.BoolPtr(false),
    }
~~~

Additional info:

$ kubectl -n openshift-cluster-version logs version-4.10.12-wsspr-k88qw
mv: cannot remove '/manifests/0000_00_cluster-version-operator_00_namespace.yaml': Read-only file system
mv: inter-device move failed: '/manifests' to '/etc/cvo/updatepayloads/4ENFMGrGePMHpleO-OWNaQ/manifests/manifests'; unable to remove target: Directory not empty

Comment 2 Scott Dodson 2022-07-27 13:04:15 UTC


*** This bug has been marked as a duplicate of bug 2110590 ***

Note You need to log in before you can comment on or make changes to this bug.