Description of problem:
Upgrading OCP from 4.11 to 4.12 with Datadog installed is stuck due to SCC. The SCC contains: seLinuxContext: seLinuxOptions: level: s0 role: system_r type: spc_t user: system_u type: MustRunAs And the error shown is: ~~~ deployment openshift-operator-lifecycle-manager/package-server-manager has a replica failure FailedCreate: pods "package-server-manager-12a3b4cd5e-1x2y3" is forbidden: violates PodSecurity "restricted:v1.24": seLinuxOptions (pod set forbidden securityContext.seLinuxOptions: type "spc_t"; user may not be set; role may not be set) ~~~
Version-Release number of selected component (if applicable):
4.11
How reproducible:
Upgrading a 4.11 cluster with Datadog installed. The SCC contains: seLinuxContext: seLinuxOptions: level: s0 role: system_r type: spc_t user: system_u type: MustRunAs
Steps to Reproduce:
1. Upgrade a 4.11 cluster to 4.12 with Datadog installed, or an SCC with above `seLinuxOptions`
Actual results:
Upgrade is stuck.
Expected results:
The Datadog SCC (or customer's custom SCCs) should not affect cluster upgrades.
Additional info:
Related KCS [1] [2].
[1] https://access.redhat.com/solutions/7027371
[2] https://access.redhat.com/solutions/7023939
- is cloned by
-
OCPBUGS-27485 package-server-manager forbidden securityContext.seLinuxOptions: type "spc_t"
- Closed
- is depended on by
-
OCPBUGS-27485 package-server-manager forbidden securityContext.seLinuxOptions: type "spc_t"
- Closed
- is related to
-
LOG-4572 collection DaemonSet violates PodSecurity in hypershift hosted project
- Closed
-
OCPBUGS-15245 custom SCC breaks openshift-controller-manager-operator pod
- Closed
-
OCPBUGS-31932 openshift-marketplace operators forbidden securityContext.seLinuxOptions
- Closed
-
OTA-680 Improve reporting when version pod fails on SCC injection
- Closed
- links to
-
RHEA-2023:7198 rpm