-
Bug
-
Resolution: Can't Do
-
Undefined
-
None
-
4.13.z, 4.12.z, 4.11.z
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
No
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Can't change the default SCC to different values, because the "restricted-v2" will be enforced. Example: Admin assigns the `restricted` SCC to the `system:authenticated`. Currently the `system:authenticated` has 2 SCCs assigned: "restricted" and "restricted-v2". Admin removed the cluster role binding for the "restricted-v2" SCC, but it is automatically added by reconciled cluster version operator. Same situation is when trying to run "oc adm policy remove-scc-from-group restricted-v2 system:authenticated". The cluster role binding is added back. Only workaround is to set the restricted SCC to higher priority. Following the steps in KCS https://access.redhat.com/node/6973044, but it is incorrect. The priority needs to be change.
Version-Release number of selected component (if applicable):
OpenShift Container Platform: - 4.11.z - 4.12.z - 4.13.z
How reproducible:
- assigning any SCC to the system:authenticated doesn't overwrite the restricted-v2 scc
Steps to Reproduce:
1. Assign "restricted" to system:authenticated through cluster role binding or "oc adm policy" command. 2. Remove the "restricted-v2" scc from system:authenticated, by removing the cluster role binding or "oc adm policy" command. 3. Wait max 5m and check if the cluster role binding is missing - "oc get clusterrolebinding -o wide | grep "system:authenticated" | grep scc 4. Create a new project and new pod to verify the default value. # oc new-project testing-default-scc # oc create deployment dummy --image=ubi8/ubi:latest -- sleep infinity # oc get pods -o yaml | grep scc
Actual results:
- unless the priority is changed on desired SCC, the restricted-v2 will be enforced
Expected results:
- the cluster version operator should not overwrite the default SCC
Additional info: