Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-27485

package-server-manager forbidden securityContext.seLinuxOptions: type "spc_t"

    XMLWordPrintable

Details

    • Moderate
    • No
    • Nyan Cat
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      Upgrading OCP from 4.11 to 4.12 with Datadog installed is stuck due to SCC.
      
      The SCC contains:
      
      seLinuxContext:
      seLinuxOptions:
        level: s0
        role: system_r
        type: spc_t
        user: system_u
      type: MustRunAs
      
      
      And the error shown is:
      ~~~
      deployment openshift-operator-lifecycle-manager/package-server-manager has a replica failure FailedCreate: pods "package-server-manager-12a3b4cd5e-1x2y3" is forbidden: violates PodSecurity "restricted:v1.24": seLinuxOptions (pod set forbidden securityContext.seLinuxOptions: type "spc_t"; user may not be set; role may not be set)
      ~~~

       

      Version-Release number of selected component (if applicable):

      4.11

       

      How reproducible:

      Upgrading a 4.11 cluster with Datadog installed. The SCC contains:
      
      seLinuxContext:
      seLinuxOptions:
        level: s0
        role: system_r
        type: spc_t
        user: system_u
      type: MustRunAs

      Steps to Reproduce:

      1. Upgrade a 4.11 cluster to 4.12 with Datadog installed, or an SCC with above `seLinuxOptions`
      

       

      Actual results:

      Upgrade is stuck.

       

      Expected results:

      The Datadog SCC (or customer's custom SCCs) should not affect cluster upgrades.

       

      Additional info:

      Related KCS [1] [2].

       

      [1] https://access.redhat.com/solutions/7027371
      [2] https://access.redhat.com/solutions/7023939

      Attachments

        Issue Links

          Activity

            People

              krizza@redhat.com Kevin Rizza
              oarribas@redhat.com Oscar Arribas Arribas
              Jian Zhang Jian Zhang
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: