Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: odf-4.15.11
Component/s: Multi-Cloud Object Gateway
Labels:
None

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Dev Approval:
?
Docs Approval:
?
PM Approval:
?
QE Approval:
?
Target Release:

odf-4.21
Intelligence Requested:
Market:

Severity:
Important

Regression:
None

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Description of problem - Provide a detailed description of the issue encountered, including logs/command-output snippets and screenshots if the issue is observed in the UI:

noobaa-db-pg-0 picks up a custom scc which has priority 11.
there is no user restriction in the documentation for creating custom scc and setting their priorities.

We document here that if workloads needs specific scc, "openshift.io/required-scc" is required

https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/authentication_and_authorization/managing-pod-security-policies#security-context-constraints-requiring_configuring-internal-oauth

enhancement:
https://github.com/openshift/enhancements/blob/master/enhancements/authentication/custom-scc-preemption-prevention.md

Other redhat shipped components started testing, and implementing

https://issues.redhat.com/browse/OCPBUGS-50677

https://issues.redhat.com/browse/OCPBUGS-39387

https://issues.redhat.com/browse/SRVKP-1516

Per enhancement and the following KCS
https://access.redhat.com/solutions/7011441
all Red Hat provided pods should contain annotation openshift.io/required-scc. If this is not the case, open a support ticket and/or bug with Red Hat.

The OCP platform infrastructure and deployment type (AWS, Bare Metal, VMware, etc. Please clarify if it is platform agnostic deployment), (IPI/UPI):

vsphere ipi

The ODF deployment type (Internal, External, Internal-Attached (LSO), Multicluster, DR, Provider, etc):

external

The version of all relevant components (OCP, ODF, RHCS, ACM whichever is applicable):

$oc get clusterversions version
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.16.34   True        False

NAME                                     VERSION
mcg-operator.v4.15.11-rhodf              4.15.11-rhodf
ocs-operator.v4.15.11-rhodf              4.15.11-rhodf
odf-csi-addons-operator.v4.15.11-rhodf   4.15.11-rhodf
odf-operator.v4.15.11-rhodf              4.15.11-rhodf

Does this issue impact your ability to continue to work with the product?

StorageSystem is degraged, the nooba is not running

Is there any workaround available to the best of your knowledge?

User can set the custom scc prioties 0 temporarly, delete the nooba pod , get it running and set them back

Can this issue be reproduced? If so, please provide the hit rate

Always reproducible

Can this issue be reproduced from the UI?

n/a

If this is a regression, please provide more details to justify this:

Steps to Reproduce:

1. create a custom scc with higher priority

2. delete the noobaa-db-pg-0

The exact date and time when the issue was observed, including timezone details:

Actual results:

$ oc get po noobaa-db-pg-0 -o yaml | grep scc

openshift.io/scc: custom-privileged-scc

Expected results:

3. oc get po noobaa-db-pg-0 -o yaml | grep scc

openshift.io/scc: nooba-db

Logs collected and log location:

Additional info:

Assignee:: Nimrod Becker

Reporter:: Hasan Cetiner

QA Contact:: Krishnaram Karthick Ramdoss

Votes:: 1 Vote for this issue

Watchers:: 16 Start watching this issue

Created:: 2025/04/16 9:00 AM

Updated:: 2025/09/13 8:41 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty