Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: None
Affects Version/s: 4.10
Component/s: Node / CRI-O
Labels:
None

Regression:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.10.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Description of problem:
When capabilities are not honored on some versions.

Version-Release number of selected component (if applicable):

from my testings:

4.10.24 - OVNKubernetes: Failed

How reproducible:
always on those verions

Steps to Reproduce:
1. run the script
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ cat test.sh
oc new-project capabilities
oc create sa test
oc adm policy add-scc-to-user privileged -z test
oc get clusterrolebindings system:openshift:scc:privileged -o wide
echo enter to create a deployment; read a
cat << EOF | oc create -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: testpod
namespace: capabilities
spec:
selector:
matchLabels:
app: testpod
template:
metadata:
labels:
app: testpod
spec:
containers:

image: registry.redhat.io/openshift4/cnf-tests-rhel8
imagePullPolicy: IfNotPresent
name: dk-container1
command: ['sh', '-c', 'echo _____ app is running! && sleep 3600']
securityContext:
capabilities:
add:
NET_ADMIN
NET_RAW
DAC_READ_SEARCH
IPC_LOCK
SYS_MODULE
SYS_RAWIO
SYS_PTRACE
SYS_ADMIN
SYS_NICE
SYS_TIME
SYS_TTY_CONFIG
SYS_RESOURCE
SYS_CHROOT
SETFCAP
securityContext:
fsGroup: 2001
runAsGroup: 2001
runAsUser: 2101
serviceAccount: test
serviceAccountName: test
EOF
while $(! oc get pods | grep testpod | grep Running &> /dev/null); do echo wait for pod to be Running; sleep 15;done
echo capabilities:
oc exec -ti `oc get pods -o name` – getpcaps 1

bash test.sh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Actual results:
Capabilities are not displayed

Expected results:
Capabilities should be displayed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Capabilities for `1': = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_setfcap+i
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Additional info:

is cloned by

OCPBUGS-543 [4.9] capabilities are not honored

Closed

Assignee:: Peter Hunt

Reporter:: Peter Hunt

QA Contact:: Sunil Choudhary

Votes:: 1 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2022/08/24 4:34 PM

Updated:: 2022/09/16 2:34 PM

Resolved:: 2022/09/08 5:40 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates