Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-20192

openshift.io/scc: restricted-readonly when setting up router sharding

    XMLWordPrintable

Details

    • Moderate
    • No
    • 2
    • Sprint 243
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None

    Description

      When setting up router sharding with `endpointPublishingStrategy: Private` in a OCP 4.13.11 BareMetal cluster, the restricted-readonly scc is added to the router pods. Causing them to CrashLoopBackOff:

      ~~~
      $ oc get pod -n openshift-ingress router-spinque-xxx -oyaml | grep -i scc
      openshift.io/scc: restricted-readonly <<<
      $ oc get pod -n openshift-ingress router-spinque-xxxj -oyaml | grep -i scc
      openshift.io/scc: restricted-readonly <<<<
      $ oc get pod -n openshift-ingress router-spinque-xxx -oyaml | grep -i scc
      openshift.io/scc: restricted-readonly <<<<
      ~~~
      ~~~
      router-spinque-xxx 0/1 CrashLoopBackOff 27 2h
      router-spinque-xxx 0/1 CrashLoopBackOff 27 2h
      router-spinque-xxx 0/1 CrashLoopBackOff 27 2h
      ~~~

      Please find the must-gather as well as the sos-report from one of the nodes in the case 03624389 in supportshell

       

      The following scc config can be used to reproduce this issue on any platform:

      allowPrivilegeEscalation: true
allowedCapabilities: []
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: MustRunAs
groups:
- system:authenticated
kind: SecurityContextConstraints
metadata:
  name: bad-router
priority: 0
readOnlyRootFilesystem: true
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
  type: MustRunAsRange
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret

      Save the above yaml as bad-router-scc.yaml then apply it to your cluster:

      $ oc apply -f bad-router-scc.yaml

      Force the restart of router pods, such as by deleting one:

      $ oc delete pod router-default-6465854689-gvjhs

      The newly started pod(s) should be running but not ready, with the bad-router scc:

      $ oc get pods
NAME                              READY   STATUS    RESTARTS   AGE
router-default-6465854689-7x558   0/1     Running   0          49s
$ oc get pod router-default-6465854689-7x558 -o yaml|grep scc
    openshift.io/scc: bad-router

      If you wait long enough, it will restart multiple times, and eventually enter the CrashLoopBackOff state

      Attachments

        Issue Links

          is related to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. AUTH-482 SCC pinning for all workloads in platform namespaces

          • Undefined - Priority not specified.
          • In Progress
          relates to

          Feature Request - Feature requests from customers and/or users RFE-4151 [openshift-ingress] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Rejected
          links to

          GitHub openshift/cluster-ingress-operator#981: OCPBUGS-20192: Require non-readonly filesystem in router container

          Web Link RHEA-2023:7198 rpm

          Activity

            People

              rfredett@redhat.com Ryan Fredette
              aalgorta@redhat.com Agustin Algorta
              Shudi Li Shudi Li
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: