Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-11545

multus-admission-controller should not run as root under Hypershift-managed CNO

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • None
    • 4.13, 4.12, 4.14
    • HyperShift
    • None
    • Important
    • No
    • Hypershift Sprint 235
    • 1
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Bug Fix
    • Done

    Description

      This is a clone of issue OCPBUGS-10807. The following is the description of the original issue:

      Description of problem:

      Cluster Network Operator managed component multus-admission-controller does not conform to Hypershift control plane expectations.

When CNO is managed by Hypershift, multus-admission-controller and other CNO-managed deployments should run with non-root security context. If Hypershift runs control plane on kubernetes (as opposed to Openshift) management cluster, it adds pod security context to its managed deployments, including CNO, with runAsUser element inside. In such a case CNO should do the same, set security context for its managed deployments, like multus-admission-controller, to meet Hypershift security rules.

      Version-Release number of selected component (if applicable):

       

      How reproducible:

      Always

      Steps to Reproduce:

      1.Create OCP cluster using Hypershift using Kube management cluster
2.Check pod security context of multus-admission-controller

      Actual results:

      no pod security context is set on multus-admission-controller

      Expected results:

      pod security context is set with runAsUser: xxxx

      Additional info:

      Corresponding CNO change

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-11544 multus-admission-controller should not run as root under Hypershift-managed CNO

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          clones

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-10807 multus-admission-controller should not run as root under Hypershift-managed CNO

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-10807 multus-admission-controller should not run as root under Hypershift-managed CNO

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          GitHub openshift/hypershift#2392: [release-4.13] OCPBUGS-11545: Pass runAsUser to CNO so it can run its managed services with proper security context

          Activity

            People

              agarcial@redhat.com Alberto Garcia Lamela
              openshift-crt-jira-prow OpenShift Prow Bot
              Jie Zhao Jie Zhao
              IBM Employee
              Michael Topchiev
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: