Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-15245

custom SCC breaks openshift-controller-manager-operator pod

XMLWordPrintable

    • Important
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      After creating a new custom SCC with high priority, the openshift-controller-manager-operator pod is in crashloopbackoff using this new custom SCC.

A similar issue was happening with the OpenShift Logging Elasticsearch pods when introduced a custom SCC, the Elasticsearch pods were using it since it was having higher priority. It it's https://issues.redhat.com/browse/LOG-4208.

      Version-Release number of selected component (if applicable):

      4.10

      How reproducible:

      Always

      Steps to Reproduce:

      1.Create a custom SCC restricted-uid-scc.yaml. Available in [1]

$ oc create -f restricted-uid-scc.yaml
securitycontextconstraints.security.openshift.io/restricted-uid created


2. Restart the openshift-controller-manager-operator pod
$ oc delete pod -l app=openshift-controller-manager-operator -n openshift-controller-manager-operator


3. Verify the openshift-controller-manager-operator is in crashloopbackoff

$ oc get pods -n openshift-controller-manager-operator
NAME                                                    READY   STATUS   RESTARTS     AGE
openshift-controller-manager-operator-7684f9f68-wnvx4   0/1     Error    1 (3s ago)   5s


4. Confirm the permission denied error observed below

$ oc logs openshift-controller-manager-operator-7684f9f68-wnvx4 
F0615 06:44:31.193174       1 cmd.go:138] open /var/run/configmaps/config/config.yaml: permission denied

      Actual results:

      The openshift-controller-manager-operator pod is in crashloopbackoff since it's taking the SCC with higher priority and it doesn't allow to access to `/var/run/configmaps/config/config.yaml`

      Expected results:

      The openshift-controller-manager-operator pod even when a custom SCC is introduced, it uses the expected default SCC and not one different custom

      Additional info:

      Similar issue for the OCP Logging Elasticsearch pods: https://issues.redhat.com/browse/LOG-4208

       

       [1]

      restricted-uid-scc.yaml" : 
kind: SecurityContextConstraints
apiVersion: v1
metadata:
  name: restricted-uid
runAsUser:
  type: MustRunAsRange
  uidRangeMax: 65535
  uidRangeMin: 1
seLinuxContext:
  type: RunAsAny
fsGroup:
  type: RunAsAny
  ranges:
  - max: 65535
    min: 1
supplementalGroups:
  type: RunAsAny
  ranges:
  - max: 65535
    min: 1
users: []
groups:
- grp-ns001b004550-edit
- grp-ns001b004551-edit
requiredDropCapabilities:
- KILL
- MKNOD
priority: 50
readOnlyRootFilesystem: true
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: []
apiVersion: security.openshift.io/v1
defaultAddCapabilities: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret

              cdaley Corey Daley
              rhn-support-ocasalsa Oscar Casal Sanchez
              ying zhou ying zhou
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: