Uploaded image for project: 'Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces) '
  1. Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces)
  2. CRW-3894

high priority of container-build scc from dev-space operator causing OLM catalogSource pods to crash

XMLWordPrintable

    • False
    • None
    • False
    • Release Notes
    • Hide
      = Fixed legacy OLM CatalogSource pod crashes

      Before this update, legacy CatalogSource objects used by the Operator Lifecycle Manager (OLM) could enter a crashing state on OpenShift 4.12. This issue affected clusters with [rh-os-devspaces] 3.3 and below with container builds enabled. With this update, the issue is fixed.
      Show
      = Fixed legacy OLM CatalogSource pod crashes Before this update, legacy CatalogSource objects used by the Operator Lifecycle Manager (OLM) could enter a crashing state on OpenShift 4.12. This issue affected clusters with [rh-os-devspaces] 3.3 and below with container builds enabled. With this update, the issue is fixed.
    • Bug Fix
    • Done

      Description of problem:

      The 'container-build` scc found on dev-sandbox clusters (sandbox, sandbox-m2 and sandbox-m3) is causing OLM catalogSource pods to crash.

      This is because OLM catalogSource pods are expected to run with `anyuid` scc. 'anyuid' scc has a priority of '10'. As 'container-build' scc supplied dev-space operator gets applied to OLM catalogSource pods as this scc has an explicitly set priority of 20.

      This is problematic as pods like OLM catalogSources and pods from other products are deployed expecting to run with anyuid scc.

      Steps to Reproduce

      1. login to a cluster with `container-build` scc from dev-space operator
      2. create a catalogSource (specifically old ones, which needs to run in 'legacy' mode)
      3. the catalogSource Pods will crash as the pods will be running with a userid without necessary privileges to access the catalogsource db inside

      Actual results:

      • 'container-build` scc gets applied to pods as this scc has higher priority

      Expected results:

      • -catalogSource pods should get anyuid scc by default
      • if possible set priority of `container-build` to a value less than anyuid priority
      • if possible use some other explicit measure to associate pods with 'contiainer-build' sc

      Reproducibility (Always/Intermittent/Only Once):

      Always

      Additional info (Such as Logs, Screenshots, etc):

        1. image (1).png
          image (1).png
          105 kB
        2. DS_3.3.0_DWO_0.17.0.png
          DS_3.3.0_DWO_0.17.0.png
          32 kB
        3. DS_3.4.0_DWO_0.17.0.png
          DS_3.4.0_DWO_0.17.0.png
          27 kB
        4. DS_3.4.0_DWO_0.18.1.png
          DS_3.4.0_DWO_0.18.1.png
          32 kB

              ibuziuk@redhat.com Ilya Buziuk
              rh-ee-nikthoma Nikhil Thomas
              Jana Vrbkova Jana Vrbkova
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: