-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
4.17
-
None
-
Yes
-
False
-
Description of problem:
The e2e tests which are executed as part of kube-descheduler-operator testing are failing due to security context constraint error
Version-Release number of selected component (if applicable):
How reproducible:
Every time
Steps to Reproduce:
1. Install kube-descheduler-operator
2. clone https://github.com/openshift/descheduler repository
3. Run descheduler/test/e2e tests
Actual results:
The e2e tests fail due to SCC issues
Expected results:
The e2e test suite should succeed without any errors
Additional info:
The deployments which are coming up as part of e2e tests are failing due to SCC issues. The deployment fails to bringup pods in restricted scc. If the SCC is made privileged, then the pods are running.
[root@localhost descheduler]# oc get all
Warning: apps.openshift.io/v1 DeploymentConfig is deprecated in v4.14+, unavailable in v4.10000+
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/duplicate-pod 0/5 0 0 57sNAME DESIRED CURRENT READY AGE
replicaset.apps/duplicate-pod-7856455b95 5 0 0 57s
[root@localhost descheduler]# oc get deployment.apps/duplicate-pod -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
creationTimestamp: "2024-09-04T03:29:37Z"
generation: 1
labels:
app: test-duplicate
name: test-duplicatePods
name: duplicate-pod
namespace: e2e-testremoveduplicates
resourceVersion: "379314"
uid: ca7fc243-2208-4586-9b58-f7c8ef7fcf47
spec:
progressDeadlineSeconds: 600
replicas: 5
revisionHistoryLimit: 10
selector:
matchLabels:
app: test-duplicate
name: test-duplicatePods
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: test-duplicate
name: test-duplicatePods
spec:
containers:
- image: registry.redhat.io/rhel9/pause
imagePullPolicy: Always
name: pause
ports:
- containerPort: 80
protocol: TCP
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
nodeName: [REDACTED]
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: "10"
name: sample
status:
conditions:
- lastTransitionTime: "2024-09-04T03:29:37Z"
lastUpdateTime: "2024-09-04T03:29:37Z"
message: Created new replica set "duplicate-pod-7856455b95"
reason: NewReplicaSetCreated
status: "True"
type: Progressing
- lastTransitionTime: "2024-09-04T03:29:37Z"
lastUpdateTime: "2024-09-04T03:29:37Z"
message: Deployment does not have minimum availability.
reason: MinimumReplicasUnavailable
status: "False"
type: Available
- lastTransitionTime: "2024-09-04T03:29:37Z"
lastUpdateTime: "2024-09-04T03:29:37Z"
message: 'pods "duplicate-pod-7856455b95-" is forbidden: unable to validate against
any security context constraint: [provider "anyuid": Forbidden: not usable by
user or serviceaccount, provider restricted-v2: .containers[0].runAsUser: Invalid
value: 1000: must be in the ranges: [1000720000, 1000729999], provider "restricted":
Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden:
not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable
by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable
by user or serviceaccount, provider "machine-api-termination-handler": Forbidden:
not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden:
not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not
usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable
by user or serviceaccount, provider "node-exporter": Forbidden: not usable by
user or serviceaccount, provider "privileged": Forbidden: not usable by user
or serviceaccount]'
reason: FailedCreate
status: "True"
type: ReplicaFailure
observedGeneration: 1
unavailableReplicas: 5
[root@localhost descheduler]# oc adm policy add-scc-to-user privileged -z default -n e2e-testremoveduplicates
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:privileged added: "default"[root@localhost descheduler]# oc get all
Warning: apps.openshift.io/v1 DeploymentConfig is deprecated in v4.14+, unavailable in v4.10000+
NAME READY STATUS RESTARTS AGE
pod/duplicate-pod-7c56cf6cc4-lcdtg 1/1 Running 0 22s
pod/duplicate-pod-7c56cf6cc4-vqzb6 1/1 Running 0 22s
pod/duplicate-pod-7c56cf6cc4-vrk96 1/1 Running 0 22s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/duplicate-pod 3/3 3 3 22sNAME DESIRED CURRENT READY AGE
replicaset.apps/duplicate-pod-7c56cf6cc4 3 3 3 22s
This is happening with multiple e2e test scenarios. I have provided one such scenario above.
