Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Critical
Fix Version/s: 4.14.0
Affects Version/s: 4.13, 4.12, 4.11, 4.14, 4.15
Component/s: Cluster Version Operator
Labels:
- groomed
- pre-merge

Severity:
Critical
Regression:
No
Story Points:
1
Sprint:
OTA 242
sprint_count:
1
Release Blocker:
Approved
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
Previously, the Cluster Version Operator did not reconcile SecurityContextConstraints resources as expected. Cluster Version Operator now properly reconciles SecurityContextConstraints resources towards the state defined in the release image, reverting any unsupported modifications to them.

Users who want to upgrade from earlier OCP versions and who operate workloads depending on modified system SecurityContextConstraints resources need to follow the procedure in https://access.redhat.com/solutions/7033949 to make sure their workloads are able to run without modified system SecurityContextConstraints. (link:https://issues.redhat.com/browse/OCPBUGS-19465[*~~OCPBUGS-19465~~*])

Show
Previously, the Cluster Version Operator did not reconcile SecurityContextConstraints resources as expected. Cluster Version Operator now properly reconciles SecurityContextConstraints resources towards the state defined in the release image, reverting any unsupported modifications to them. Users who want to upgrade from earlier OCP versions and who operate workloads depending on modified system SecurityContextConstraints resources need to follow the procedure in https://access.redhat.com/solutions/7033949 to make sure their workloads are able to run without modified system SecurityContextConstraints. (link: https://issues.redhat.com/browse/OCPBUGS-19465 [* OCPBUGS-19465 *])
Release Note Type:
Bug Fix
Release Note Status:
Done
Target Version:

4.14.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

This is a clone of issue ~~OCPBUGS-18386~~. The following is the description of the original issue:
—
How reproducible:

Always

Steps to Reproduce:

1. the Kubernetes API introduces a new Pod Template parameter (`ephemeral`)
2. this parameter is not in the allowed list of the default SCC
3. customer is not allowed to edit the default SCCs nor we have a  mechanism in  place to update the built in SCCs AFAIK
4. users of existing clusters cannot use the new parameter without creating manual SCCs and assigning this SCC to service accounts themselves which looks clunky. This is documented in https://access.redhat.com/articles/6967808

Actual results:

Users of existing clusters cannot use ephemeral volumes after an upgrade

Expected results:

Users of existing clusters *can* use ephemeral volumes after an upgrade

Current status

blocks

OCPBUGS-19472 Cluster Version Operator does not correctly reconcile SCC resources

Closed

clones

OCPBUGS-18386 Cluster Version Operator does not correctly reconcile SCC resources

Closed

is blocked by

OCPBUGS-18386 Cluster Version Operator does not correctly reconcile SCC resources

Closed

is cloned by

OCPBUGS-19472 Cluster Version Operator does not correctly reconcile SCC resources

Closed

links to

openshift/cluster-version-operator#972: OCPBUGS-19465: Properly reconcile SCC resources

RHSA-2023:5006 OpenShift Container Platform 4.14.z security update

(1 links to)

Assignee:: Petr Muller

Reporter:: OpenShift Prow Bot

QA Contact:: Evgeni Vakhonin

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: 2023/09/20 1:28 PM

Updated:: 2023/10/31 1:42 PM

Resolved:: 2023/10/31 1:42 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates