Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-19465

Cluster Version Operator does not correctly reconcile SCC resources

XMLWordPrintable

    • Critical
    • No
    • 1
    • OTA 242
    • 1
    • Approved
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, the Cluster Version Operator did not reconcile SecurityContextConstraints resources as expected. Cluster Version Operator now properly reconciles SecurityContextConstraints resources towards the state defined in the release image, reverting any unsupported modifications to them.

      Users who want to upgrade from earlier OCP versions and who operate workloads depending on modified system SecurityContextConstraints resources need to follow the procedure in https://access.redhat.com/solutions/7033949 to make sure their workloads are able to run without modified system SecurityContextConstraints. (link:https://issues.redhat.com/browse/OCPBUGS-19465[*OCPBUGS-19465*])
      Show
      Previously, the Cluster Version Operator did not reconcile SecurityContextConstraints resources as expected. Cluster Version Operator now properly reconciles SecurityContextConstraints resources towards the state defined in the release image, reverting any unsupported modifications to them. Users who want to upgrade from earlier OCP versions and who operate workloads depending on modified system SecurityContextConstraints resources need to follow the procedure in https://access.redhat.com/solutions/7033949 to make sure their workloads are able to run without modified system SecurityContextConstraints. (link: https://issues.redhat.com/browse/OCPBUGS-19465 [* OCPBUGS-19465 *])
    • Bug Fix
    • Done

      This is a clone of issue OCPBUGS-18386. The following is the description of the original issue:

      How reproducible:

      Always

      Steps to Reproduce:

      1. the Kubernetes API introduces a new Pod Template parameter (`ephemeral`)
2. this parameter is not in the allowed list of the default SCC
3. customer is not allowed to edit the default SCCs nor we have a  mechanism in  place to update the built in SCCs AFAIK
4. users of existing clusters cannot use the new parameter without creating manual SCCs and assigning this SCC to service accounts themselves which looks clunky. This is documented in https://access.redhat.com/articles/6967808

      Actual results:

      Users of existing clusters cannot use ephemeral volumes after an upgrade

      Expected results:

      Users of existing clusters *can* use ephemeral volumes after an upgrade

      Current status

            afri@afri.cz Petr Muller
            openshift-crt-jira-prow OpenShift Prow Bot
            Evgeni Vakhonin Evgeni Vakhonin
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: