-
Bug
-
Resolution: Can't Do
-
Undefined
-
None
-
4.14, 4.15
-
None
-
No
-
False
-
Description of problem:
[ARO-4.14] csi volumes are not allowed for normal users
Version-Release number of selected component (if applicable):
4.14.0-0.nightly-2023-09-26-124507
How reproducible:
Always
Steps to Reproduce:
1. Install ARO cluster via flexy templates. Flexy: aro-4/aro-hosted/versioned-installer 2. Check the cluster version which will be on 4.11 payload and aro version 4.11.44 3. Upgrade the cluster to latest 4.14 payload 4.14.0-0.nightly-2023-09-26- 124507 oc adm upgrade --to-image="registry.ci.openshift.org/ocp/release:4.14.0-0.nightly-2023-09-26-124507" --allow-explicit-upgrade=true --force=true 4. Check the cluster got upgraded. 5. Install icsp.yaml and catalogsource yaml files. 6. Do precondition setup required to run secrets store pod. (Install subscription, operatorgroup, driver, azure provider, create keyvault, give permissions) 7. Create secret provider class, deployment.
Actual results:
Below error shows csi volumes are not allowed for normal users. Deployment pods are not coming up: oc describe rs/mydep-3cert-8546548f9 -n testropatil Warning FailedCreate 47s (x15 over 2m9s) replicaset-controller Error creating: pods "mydep-3cert-8546548f9-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.volumes[0]: Invalid value: "csi": csi volumes are not allowed to be used, provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "privileged-genevalogging": Forbidden: not usable by user or serviceaccount]
Expected results:
csi volumes should be not allowed for normal users.
Additional info:
ARO cluster does not include csi: oc get scc restricted-v2 -o yaml volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - projected - secret OCP cluster includes csi: oc get scc restricted-v2 -o yaml volumes: - configMap - csi - downwardAPI - emptyDir - ephemeral - persistentVolumeClaim - projected - secret Discussion: https://redhat-internal.slack.com/archives/C05CXR1PVRD/p1695778332310439
- relates to
-
OCPBUGS-31109 ephemeral permission is not added to restricted-v2 scc post-upgrade
- Closed