Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-51136

HyperShift catalog operator reconciliation may fail due to SCC selection

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 4.18
    • HyperShift
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      HyperShift catalog operator reconciliation may fail due to SCC selection 

      Version-Release number of selected component (if applicable):

      4.18.0-rc.8

      How reproducible:

      Always

      Steps to Reproduce:

      1. Create HyperShift managed cluster with ".spec.olmCatalogPlacement" set to "guest".
      2. Create an SCC with priority set (see example below).
      3. oc delete pods -n openshift-marketplace --all     

      Actual results:

      HyperShift catalog operator is unable to recreate the pods in the openshift-marketplace namespace due to PodSecurity violation errors.

      Expected results:

      HyperShift catalog operator recreates the pods in the openshift-marketplace namespace using the correct SCC.

      Example SCC:

      allowHostDirVolumePlugin: true
      allowHostIPC: false
      allowHostNetwork: false
      allowHostPID: false
      allowHostPorts: false
      allowPrivilegeEscalation: true
      allowPrivilegedContainer: true
      allowedCapabilities:
      - DAC_READ_SEARCH
      apiVersion: security.openshift.io/v1
      defaultAddCapabilities: null
      fsGroup:
        type: RunAsAny
      groups: []
      kind: SecurityContextConstraints
      metadata:
        annotations:
          kubernetes.io/description: |-
            hostmount-logger is similar to hostmount-anyuid, but it drops more of
            the Linux SYSCAP capabilities to reduce blast radius.
          meta.helm.sh/release-name: logs-agent
          meta.helm.sh/release-namespace: ibm-observe
        generation: 1
        labels:
          app.kubernetes.io/managed-by: Helm
          name: logs-agent
          version: 1.4.0
        name: hostmount-logger-logs-agent
      priority: 20
      readOnlyRootFilesystem: false
      requiredDropCapabilities:
      - MKNOD
      - FSETID
      - KILL
      - NET_BIND_SERVICE
      - NET_RAW
      runAsUser:
        type: RunAsAny
      seLinuxContext:
        seLinuxOptions:
          type: container_logreader_t
        type: MustRunAs
      supplementalGroups:
        type: RunAsAny
      users:
      - system:serviceaccount:ibm-observe:logs-agent
      volumes:
      - configMap
      - downwardAPI
      - emptyDir
      - hostPath
      - nfs
      - persistentVolumeClaim
      - projected
      - secret
      

      Example catalog operator pod error messages:

      E0220 19:28:53.102856       1 queueinformer_operator.go:312] "Unhandled Error" err="sync \"openshift-marketplace/community-operators\" failed: couldn't ensure registry server - error ensuring pod: : error creating new pod: community-operators-: pods \"community-operators-gl566\" is forbidden: violates PodSecurity \"baseline:v1.25\": seLinuxOptions (pod set forbidden securityContext.seLinuxOptions: type \"container_logreader_t\")" logger="UnhandledError"
      E0220 19:28:53.707892       1 queueinformer_operator.go:312] "Unhandled Error" err="sync \"openshift-marketplace/certified-operators\" failed: couldn't ensure registry server - error ensuring pod: : error creating new pod: certified-operators-: pods \"certified-operators-qq7qz\" is forbidden: violates PodSecurity \"baseline:v1.25\": seLinuxOptions (pod set forbidden securityContext.seLinuxOptions: type \"container_logreader_t\")" logger="UnhandledError"
      E0220 19:28:55.513673       1 queueinformer_operator.go:312] "Unhandled Error" err="sync \"openshift-marketplace/redhat-marketplace\" failed: couldn't ensure registry server - error ensuring pod: : error creating new pod: redhat-marketplace-: pods \"redhat-marketplace-btm8g\" is forbidden: violates PodSecurity \"baseline:v1.25\": seLinuxOptions (pod set forbidden securityContext.seLinuxOptions: type \"container_logreader_t\")" logger="UnhandledError"
      E0220 19:28:56.095262       1 queueinformer_operator.go:312] "Unhandled Error" err="sync \"openshift-marketplace/redhat-operators\" failed: couldn't ensure registry server - error ensuring pod: : error creating new pod: redhat-operators-: pods \"redhat-operators-tlj8m\" is forbidden: violates PodSecurity \"baseline:v1.25\": seLinuxOptions (pod set forbidden securityContext.seLinuxOptions: type \"container_logreader_t\")" logger="UnhandledError"

              sjenning Seth Jennings
              richardtheis Richard Theis
              None
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: