[LOG-6816] Permission Error due to operator updating the SCC in OpenShift Logging 6.x - Red Hat Issue Tracker

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: Logging 6.1.4
Affects Version/s: Logging 6.1.3
Component/s: Log Collection
Labels:
- Logging
- devel_ack+
- logging
- logging6
- operator

Blocked:
False
Blocked Reason:
None
Ready:
False
Docs QE Status:
NEW
QE Status:
VERIFIED
Release Note Text:

Hide
Before this change the operator was unable to update the securitycontextconstraint that is required by the log collector which was a regression from previous releases. This provides a fix to that behavior by restoring the required cluster role to the operator's service account so that it can create or update this resource.

Show
Before this change the operator was unable to update the securitycontextconstraint that is required by the log collector which was a regression from previous releases. This provides a fix to that behavior by restoring the required cluster role to the operator's service account so that it can create or update this resource.
Release Note Type:
Bug Fix
Intelligence Requested:
Market:

Sprint:
Log Collection - Sprint 268
Severity:
Moderate

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Description of problem:

    The presence of duplicate capabilities in the requiredDropCapabilities section of the securitycontextconstraints resource gives the below error in the logs of cluster-logging-operator:

error":{"msg":"securitycontextconstraints.security.openshift.io \"logging-scc\" is forbidden: User \"system:serviceaccount:openshift-logging:cluster-logging-operator\" cannot update resource \"securitycontextconstraints\" in API group \"security.openshift.io\" at the cluster scope

Example of the overwritten parameters in requiredDropCapabilities section of the `logging-scc`:

- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- KILL
- SETGID
- SETUID
- NET_BIND_SERVICE

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

- CHOWN 
- DAC_OVERRIDE 
- FOWNER 
- FSETID 
- KILL 
- KILL 
- SETGID 
- SETUID 
- NET_BIND_SERVICE

Expected results:

- CHOWN 
- DAC_OVERRIDE 
- FOWNER 
- FSETID 
- KILL 
- SETCAP 
- SETGID 
- SETUID 
- NET_BIND_SERVICE

Additional info:

    In another case (for a fresh installation of logging 6), the value which got repeated was "NET_BIND_SERVICE".

is cloned by

LOG-6879 [release-6.2] Permission Error due to operator updating the SCC in OpenShift Logging 6.x

MODIFIED

links to

openshift/cluster-logging-operator#2982: LOG-6816: fix operator permissions to update SCC

RHSA-2025:146756 Logging for Red Hat OpenShift - 6.1.4

mentioned on

Merge request - Updated US source to: b74b3b5 LOG-6816: fix operator permissions to update SCC

Assignee:: Jeffrey Cantrill

Reporter:: Khushi Mishra

QA Contact:: Kabir Bharti

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2025/03/06 12:04 PM

Updated:: 2025/03/26 5:39 PM

Resolved:: 2025/03/26 5:39 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide