Bug 2280637 - The rook-ceph-csi scc does not have "Required Drop Capabilities" set
Summary: The rook-ceph-csi scc does not have "Required Drop Capabilities" set
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenShift Data Foundation
Classification: Red Hat Storage
Component: ocs-operator
Version: 4.16
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ODF 4.17.0
Assignee: Shravani Vangur
QA Contact: Prasad Desala
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-05-15 13:24 UTC by Prasad Desala
Modified: 2024-10-30 14:27 UTC (History)
5 users (show)

Fixed In Version: 4.17.0-84
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2024-10-30 14:27:56 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github ceph ceph-csi pull 4767 0 None Merged deploy: setting RequiredDropCapabilities to ALL for ceph-csi scc 2024-08-19 10:09:34 UTC
Github red-hat-storage ocs-operator pull 2744 0 None open RequiredDropCapabilities set to ALL for rookcephcsi scc 2024-08-12 13:40:27 UTC
Github red-hat-storage ocs-operator pull 2752 0 None open Bug 2280637:[release-4.17] update cephcsi pkg version 2024-08-21 07:11:25 UTC
Red Hat Product Errata RHSA-2024:8676 0 None None None 2024-10-30 14:27:59 UTC

Description Prasad Desala 2024-05-15 13:24:11 UTC 
Description of problem (please be detailed as possible and provide log
snippests):
==================================================================================
This BZ is opened based on the discussion in comment https://bugzilla.redhat.com/show_bug.cgi?id=2179803#c14. 

As part of the fix for BZ 2179803, the RequiredDropCapabilities of rook-ceph scc is set to ALL, but rook-ceph-csi scc still does not have "Required Drop Capabilities" set. This needs to be addressed and the changes must be made in the ocs-operator code which creates the csi scc.   

prasad:~$ oc describe scc rook-ceph | grep " Required Drop Capabilities"
  Required Drop Capabilities:			ALL
prasad:~$ oc describe scc rook-ceph-csi | grep " Required Drop Capabilities"
  Required Drop Capabilities:
			<none>
prasad:~$ oc get csv 
NAME                                        DISPLAY                            VERSION            REPLACES   PHASE
mcg-operator.v4.16.0-94.stable              NooBaa Operator                    4.16.0-94.stable              Succeeded
ocs-client-operator.v4.16.0-94.stable       OpenShift Data Foundation Client   4.16.0-94.stable              Succeeded
ocs-operator.v4.16.0-94.stable              OpenShift Container Storage        4.16.0-94.stable              Succeeded
odf-csi-addons-operator.v4.16.0-94.stable   CSI Addons                         4.16.0-94.stable              Succeeded
odf-operator.v4.16.0-94.stable              OpenShift Data Foundation          4.16.0-94.stable              Succeeded
odf-prometheus-operator.v4.16.0-94.stable   Prometheus Operator                4.16.0-94.stable              Succeeded
recipe.v4.16.0-94.stable                    Recipe                             4.16.0-94.stable              Succeeded
rook-ceph-operator.v4.16.0-94.stable        Rook-Ceph                          4.16.0-94.stable              Succeeded
 

Version of all relevant components (if applicable):
odf 4.16

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?


Is there any workaround available to the best of your knowledge?


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
1

Can this issue reproducible?
Yes

Can this issue reproduce from the UI?


If this is a regression, please provide more details to justify this:


Steps to Reproduce:
1. Deploy an ODF cluster and check for "RequiredDropCapabilities" in rook-ceph-csi scc

Actual results:
===============
The rook-ceph-csi scc does not have "Required Drop Capabilities" <none>

Expected results:
=================
The security context for rook-ceph-csi should have the "RequiredDropCapabilities" set to ALL.
Comment 9 errata-xmlrpc 2024-10-30 14:27:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.17.0 Security, Enhancement, & Bug Fix Update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2024:8676
Note You need to log in before you can comment on or make changes to this bug.