Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-20347

package-server-manager forbidden securityContext.seLinuxOptions: type "spc_t"

XMLWordPrintable

    • Moderate
    • No
    • Joe Lanford 244
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * With the security context constraint (SCC) API, users are able to configure security contexts for scheduling workloads on their cluster. Because parts of core {product-title} components run as pods that are scheduled on control plane nodes, it is possible to create a SCC that prevents those core components from being properly scheduled in `openshift-*` namespaces.
      +
      This bug fix reduces the RBAC scope for the `openshift-operator-lifecycle-manager` service account used to run the `package-server-manager` core component. With this update, it is now significantly less likely that an SCC can be applied to the cluster that will cause unexpected scheduling issues with the `package-server-manager` component.
      +
      [WARNING]
      ====
      The SCC API can globally affect scheduling on an {product-title} cluster. When applying such constraints to workloads on the cluster, carefully read the xref:../authentication/managing-security-context-constraints.adoc#managing-pod-security-policies[SCC documentation].
      ====
      +
      (link:https://issues.redhat.com/browse/OCPBUGS-20347[*OCPBUGS-20347*])
      Show
      * With the security context constraint (SCC) API, users are able to configure security contexts for scheduling workloads on their cluster. Because parts of core {product-title} components run as pods that are scheduled on control plane nodes, it is possible to create a SCC that prevents those core components from being properly scheduled in `openshift-*` namespaces. + This bug fix reduces the RBAC scope for the `openshift-operator-lifecycle-manager` service account used to run the `package-server-manager` core component. With this update, it is now significantly less likely that an SCC can be applied to the cluster that will cause unexpected scheduling issues with the `package-server-manager` component. + [WARNING] ==== The SCC API can globally affect scheduling on an {product-title} cluster. When applying such constraints to workloads on the cluster, carefully read the xref:../authentication/managing-security-context-constraints.adoc#managing-pod-security-policies[SCC documentation]. ==== + (link: https://issues.redhat.com/browse/OCPBUGS-20347 [* OCPBUGS-20347 *])
    • Bug Fix
    • Done

      Description of problem:

      Upgrading OCP from 4.11 to 4.12 with Datadog installed is stuck due to SCC.
      
      The SCC contains:
      
      seLinuxContext:
      seLinuxOptions:
        level: s0
        role: system_r
        type: spc_t
        user: system_u
      type: MustRunAs
      
      
      And the error shown is:
      ~~~
      deployment openshift-operator-lifecycle-manager/package-server-manager has a replica failure FailedCreate: pods "package-server-manager-12a3b4cd5e-1x2y3" is forbidden: violates PodSecurity "restricted:v1.24": seLinuxOptions (pod set forbidden securityContext.seLinuxOptions: type "spc_t"; user may not be set; role may not be set)
      ~~~

       

      Version-Release number of selected component (if applicable):

      4.11

       

      How reproducible:

      Upgrading a 4.11 cluster with Datadog installed. The SCC contains:
      
      seLinuxContext:
      seLinuxOptions:
        level: s0
        role: system_r
        type: spc_t
        user: system_u
      type: MustRunAs

      Steps to Reproduce:

      1. Upgrade a 4.11 cluster to 4.12 with Datadog installed, or an SCC with above `seLinuxOptions`
      

       

      Actual results:

      Upgrade is stuck.

       

      Expected results:

      The Datadog SCC (or customer's custom SCCs) should not affect cluster upgrades.

       

      Additional info:

      Related KCS [1] [2].

       

      [1] https://access.redhat.com/solutions/7027371
      [2] https://access.redhat.com/solutions/7023939

              agreene1991 Alexander Greene (Inactive)
              oarribas@redhat.com Oscar Arribas Arribas
              Jian Zhang Jian Zhang
              Alex Dellapenta Alex Dellapenta
              Votes:
              2 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated:
                Resolved: