Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: None
Affects Version/s: CNV v4.12.0
Component/s: Storage Platform
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Intelligence Requested:
Market:

Sprint:
Storage Core Sprint 227, Storage Core Sprint 228

Regression:
None

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

The SCC created by CDI has a priority of 10 which means it is used in priority.

Altough we might think by its specification that this SCC is restricted to cdi serviceaccount in openshift-cnv namespace it actually can be used by other service accounts through k8s RBAC mechanism.

For instance the cluster-storage-operator service account is granted the cluster-admin role through the cluster-storage-operator-role clusterrolebinding.

As a result, once CDI is deployed the cluster-storage-operator Pod is admitted using the containerized-data-importer SCC instead of restricted-v2 and fails to start:

Error: container has runAsNonRoot and image will run as root (pod: "cluster-storage-operator-5648cb555d-v7mkk_openshift-cluster-storage-operator(651e5e61-fa77-4f37-b2b1-78f0a15fc450)", container: cluster-storage-operator)

links to

KCS#4727461

mentioned on

Merge request - Updated US source to: 8ceb590 Run bazelisk run //robots/cmd/uploader:uploader -- -workspace /home/prow/go/src/github.com/kubevirt/project-infra/../containerized-data-importer/WORKSPACE -dry-run=false (#2468)

Merge request - Updated US source to: dfafc29 Fix SCC priority so our scc doesn't get picked for random pods (#2466)

Assignee:: Alex Kalenyuk

Reporter:: Denis Ollier Pinas

QA Contact:: Kevin Alon Goldblatt

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2022/11/08 2:31 PM

Updated:: 2025/08/08 8:30 PM

Resolved:: 2022/12/05 2:59 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates