Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-19843

[ARO-4.14] csi volumes are not allowed for normal users

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Can't Do
    • Icon: Undefined Undefined
    • None
    • 4.14, 4.15
    • Storage / Operators
    • None
    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      [ARO-4.14] csi volumes are not allowed for normal users

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-09-26-124507

      How reproducible:

      Always

      Steps to Reproduce:

      1. Install ARO cluster via flexy templates. 
   Flexy: aro-4/aro-hosted/versioned-installer
2. Check the cluster version which will be on 4.11 payload and aro version   
   4.11.44
3. Upgrade the cluster to latest 4.14 payload 4.14.0-0.nightly-2023-09-26-
   124507 
    oc adm upgrade --to-image="registry.ci.openshift.org/ocp/release:4.14.0-0.nightly-2023-09-26-124507" --allow-explicit-upgrade=true --force=true 
4. Check the cluster got upgraded. 
5. Install icsp.yaml and catalogsource yaml files. 
6. Do precondition setup required to run secrets store pod. 
   (Install subscription, operatorgroup, driver, azure provider, create keyvault, give permissions)
7. Create secret provider class, deployment.

      Actual results:

      Below error shows csi volumes are not allowed for normal users. Deployment pods are not coming up:

oc describe rs/mydep-3cert-8546548f9 -n testropatil
  Warning  FailedCreate  47s (x15 over 2m9s)  replicaset-controller  Error creating: pods "mydep-3cert-8546548f9-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.volumes[0]: Invalid value: "csi": csi volumes are not allowed to be used, provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "privileged-genevalogging": Forbidden: not usable by user or serviceaccount]

      Expected results:

      csi volumes should be not allowed for normal users.

      Additional info:

      ARO cluster does not include csi:
oc get scc restricted-v2 -o yaml
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret

OCP cluster includes csi:
oc get scc restricted-v2 -o yaml
volumes:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret

Discussion: https://redhat-internal.slack.com/archives/C05CXR1PVRD/p1695778332310439

            jdobson@redhat.com Jonathan Dobson
            ropatil@redhat.com Rohit Patil
            Wei Duan Wei Duan
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: