Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-11933

pod scc annotation shows "privileged" even though the audit logs mention "anyuid" SCC was picked

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • 4.16.0
    • 4.12.z
    • apiserver-auth
    • None
    • Important
    • No
    • Auth - Sprint 236, Auth - Sprint 237, Auth - Sprint 238, Auth - Sprint 239, Auth - Sprint 240, Auth - Sprint 241, Auth - Sprint 242, Auth - Sprint 243, Auth - Sprint 245, Auth - Sprint 249, Auth - Sprint 250
    • 11
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, when you created a pod with an empty security context and you have access to all security context constraints (SCCs), the pod would receive the `anyuid` SCC. After the `ovn-controller` component added a label to the pod, the pod would be re-admitted for SCC selection, where the pod received an escalated SCC, such as `privileged`. With this release, this issue is resolved so the pod is not re-admitted for SCC selection. (link:https://issues.redhat.com/browse/OCPBUGS-11933[*OCPBUGS-11933*])
      Show
      * Previously, when you created a pod with an empty security context and you have access to all security context constraints (SCCs), the pod would receive the `anyuid` SCC. After the `ovn-controller` component added a label to the pod, the pod would be re-admitted for SCC selection, where the pod received an escalated SCC, such as `privileged`. With this release, this issue is resolved so the pod is not re-admitted for SCC selection. (link: https://issues.redhat.com/browse/OCPBUGS-11933 [* OCPBUGS-11933 *])
    • Bug Fix
    • Done

      Description of problem:

      When I create a pod with empty security context as a user that has access to all SCCs, the SCC annotation shows "privileged"

      Version-Release number of selected component (if applicable):

      4.12

      How reproducible:

      100%

      Steps to Reproduce:

      1. create a bare pod with an empty security context
2. look at the "openshift.io/scc" annotation

      Actual results:

      privileged

      Expected results:

      anyuid

      Additional info:

      kind: Pod
apiVersion: v1
metadata:
  name: mypod
spec:
    restartPolicy: Never
    containers:
    - name: fedora
      image: fedora:latest
      command:
      - sleep
      args:
      - "infinity"

       

              rh-ee-irinis Ilias Rinis
              slaznick@redhat.com Stanislav Láznička (Inactive)
              Deepak Punia Deepak Punia (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated:
                Resolved: