-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.18
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
HyperShift catalog operator reconciliation may fail due to SCC selection
Version-Release number of selected component (if applicable):
4.18.0-rc.8
How reproducible:
Always
Steps to Reproduce:
1. Create HyperShift managed cluster with ".spec.olmCatalogPlacement" set to "guest". 2. Create an SCC with priority set (see example below). 3. oc delete pods -n openshift-marketplace --all
Actual results:
HyperShift catalog operator is unable to recreate the pods in the openshift-marketplace namespace due to PodSecurity violation errors.
Expected results:
HyperShift catalog operator recreates the pods in the openshift-marketplace namespace using the correct SCC.
Example SCC:
allowHostDirVolumePlugin: true allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: true allowedCapabilities: - DAC_READ_SEARCH apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: RunAsAny groups: [] kind: SecurityContextConstraints metadata: annotations: kubernetes.io/description: |- hostmount-logger is similar to hostmount-anyuid, but it drops more of the Linux SYSCAP capabilities to reduce blast radius. meta.helm.sh/release-name: logs-agent meta.helm.sh/release-namespace: ibm-observe generation: 1 labels: app.kubernetes.io/managed-by: Helm name: logs-agent version: 1.4.0 name: hostmount-logger-logs-agent priority: 20 readOnlyRootFilesystem: false requiredDropCapabilities: - MKNOD - FSETID - KILL - NET_BIND_SERVICE - NET_RAW runAsUser: type: RunAsAny seLinuxContext: seLinuxOptions: type: container_logreader_t type: MustRunAs supplementalGroups: type: RunAsAny users: - system:serviceaccount:ibm-observe:logs-agent volumes: - configMap - downwardAPI - emptyDir - hostPath - nfs - persistentVolumeClaim - projected - secret
Example catalog operator pod error messages:
E0220 19:28:53.102856 1 queueinformer_operator.go:312] "Unhandled Error" err="sync \"openshift-marketplace/community-operators\" failed: couldn't ensure registry server - error ensuring pod: : error creating new pod: community-operators-: pods \"community-operators-gl566\" is forbidden: violates PodSecurity \"baseline:v1.25\": seLinuxOptions (pod set forbidden securityContext.seLinuxOptions: type \"container_logreader_t\")" logger="UnhandledError" E0220 19:28:53.707892 1 queueinformer_operator.go:312] "Unhandled Error" err="sync \"openshift-marketplace/certified-operators\" failed: couldn't ensure registry server - error ensuring pod: : error creating new pod: certified-operators-: pods \"certified-operators-qq7qz\" is forbidden: violates PodSecurity \"baseline:v1.25\": seLinuxOptions (pod set forbidden securityContext.seLinuxOptions: type \"container_logreader_t\")" logger="UnhandledError" E0220 19:28:55.513673 1 queueinformer_operator.go:312] "Unhandled Error" err="sync \"openshift-marketplace/redhat-marketplace\" failed: couldn't ensure registry server - error ensuring pod: : error creating new pod: redhat-marketplace-: pods \"redhat-marketplace-btm8g\" is forbidden: violates PodSecurity \"baseline:v1.25\": seLinuxOptions (pod set forbidden securityContext.seLinuxOptions: type \"container_logreader_t\")" logger="UnhandledError" E0220 19:28:56.095262 1 queueinformer_operator.go:312] "Unhandled Error" err="sync \"openshift-marketplace/redhat-operators\" failed: couldn't ensure registry server - error ensuring pod: : error creating new pod: redhat-operators-: pods \"redhat-operators-tlj8m\" is forbidden: violates PodSecurity \"baseline:v1.25\": seLinuxOptions (pod set forbidden securityContext.seLinuxOptions: type \"container_logreader_t\")" logger="UnhandledError"