Loading...

XML

Word

Printable

Type: Bug
Resolution: Can't Do
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.14, 4.15
Component/s: Storage / Operators
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
No

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

[ARO-4.14] csi volumes are not allowed for normal users

Version-Release number of selected component (if applicable):

4.14.0-0.nightly-2023-09-26-124507

How reproducible:

Always

Steps to Reproduce:

1. Install ARO cluster via flexy templates. 
   Flexy: aro-4/aro-hosted/versioned-installer
2. Check the cluster version which will be on 4.11 payload and aro version   
   4.11.44
3. Upgrade the cluster to latest 4.14 payload 4.14.0-0.nightly-2023-09-26-
   124507 
    oc adm upgrade --to-image="registry.ci.openshift.org/ocp/release:4.14.0-0.nightly-2023-09-26-124507" --allow-explicit-upgrade=true --force=true 
4. Check the cluster got upgraded. 
5. Install icsp.yaml and catalogsource yaml files. 
6. Do precondition setup required to run secrets store pod. 
   (Install subscription, operatorgroup, driver, azure provider, create keyvault, give permissions)
7. Create secret provider class, deployment.

Actual results:

Below error shows csi volumes are not allowed for normal users. Deployment pods are not coming up:

oc describe rs/mydep-3cert-8546548f9 -n testropatil
  Warning  FailedCreate  47s (x15 over 2m9s)  replicaset-controller  Error creating: pods "mydep-3cert-8546548f9-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.volumes[0]: Invalid value: "csi": csi volumes are not allowed to be used, provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "privileged-genevalogging": Forbidden: not usable by user or serviceaccount]

Expected results:

csi volumes should be not allowed for normal users.

Additional info:

ARO cluster does not include csi:
oc get scc restricted-v2 -o yaml
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret

OCP cluster includes csi:
oc get scc restricted-v2 -o yaml
volumes:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret

Discussion: https://redhat-internal.slack.com/archives/C05CXR1PVRD/p1695778332310439

relates to

OCPBUGS-31109 ephemeral permission is not added to restricted-v2 scc post-upgrade

Closed

Assignee:: Jonathan Dobson

Reporter:: Rohit Patil

Need Info From:: None

Contributors:: None

QA Contact:: Wei Duan

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2023/09/27 11:04 AM

Updated:: 2025/07/25 11:35 AM

Resolved:: 2023/09/27 5:39 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates