Bug 2113973 - operator scc is nor fixed when we define a custom scc with readOnlyRootFilesystem: true
Summary: operator scc is nor fixed when we define a custom scc with readOnlyRootFilesy...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Machine Config Operator
Version: 4.10
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.13.0
Assignee: John Kyros
QA Contact: Rio Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-08-02 13:12 UTC by German Parente
Modified: 2023-05-17 22:47 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-17 22:46:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift machine-config-operator pull 3502 0 None Merged Bug 2113973: Avoid 'too restrictive' SCC problems by being more explicit 2023-02-22 21:07:47 UTC
Red Hat Issue Tracker OTA-680 0 None None None 2022-08-18 15:13:42 UTC
Red Hat Product Errata RHSA-2023:1326 0 None None None 2023-05-17 22:47:05 UTC

Description German Parente 2022-08-02 13:12:35 UTC 
If we define a custom scc like this:

allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: []
apiVersion: security.openshift.io/v1
defaultAddCapabilities: []
fsGroup:
  type: MustRunAs
groups:
- system:authenticated
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: MCP Vault Unsealer
    meta.helm.sh/release-name: vault
    meta.helm.sh/release-namespace: mcp-vault
  creationTimestamp: "2022-07-25T11:09:53Z"
  generation: 2
  labels:
    app.kubernetes.io/instance: vault
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: vault-unsealer
    app.kubernetes.io/version: 3.7.0
    helm.sh/chart: vault-unsealer-3.7.1
  name: vault-unsealer
  resourceVersion: "1793493"
  uid: 6b6d88be-03c0-476d-8602-2e94e4ecfcb5
priority: null
readOnlyRootFilesystem: true
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:mcp-vault:vault-unsealer
volumes:
- configMap
- hostPath
- secret

we can see that the pod originally has this scc:

oc get pod machine-config-operator-7f57686f5c-g895k -o yaml | grep scc
    openshift.io/scc: hostmount-anyuid

After applying the new SCC ( even if we set a higher priority ) the pod is showing after restart:

oc get pod machine-config-operator-7f57686f5c-jg2jv -o yaml | grep scc
    openshift.io/scc: vault-unsealer
Comment 24 errata-xmlrpc 2023-05-17 22:46:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.13.0 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:1326
Note You need to log in before you can comment on or make changes to this bug.