Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-7167

operator scc is nor fixed when we define a custom scc with readOnlyRootFilesystem: true

      This bug is a backport clone of [Bugzilla Bug 2113973](https://bugzilla.redhat.com/show_bug.cgi?id=2113973). The following is the description of the original bug:

      If we define a custom scc like this:

      allowHostDirVolumePlugin: true
      allowHostIPC: false
      allowHostNetwork: false
      allowHostPID: false
      allowHostPorts: false
      allowPrivilegeEscalation: false
      allowPrivilegedContainer: false
      allowedCapabilities: []
      apiVersion: security.openshift.io/v1
      defaultAddCapabilities: []
      fsGroup:
      type: MustRunAs
      groups:

      • system:authenticated
        kind: SecurityContextConstraints
        metadata:
        annotations:
        kubernetes.io/description: MCP Vault Unsealer
        meta.helm.sh/release-name: vault
        meta.helm.sh/release-namespace: mcp-vault
        creationTimestamp: "2022-07-25T11:09:53Z"
        generation: 2
        labels:
        app.kubernetes.io/instance: vault
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: vault-unsealer
        app.kubernetes.io/version: 3.7.0
        helm.sh/chart: vault-unsealer-3.7.1
        name: vault-unsealer
        resourceVersion: "1793493"
        uid: 6b6d88be-03c0-476d-8602-2e94e4ecfcb5
        priority: null
        readOnlyRootFilesystem: true
        requiredDropCapabilities:
      • KILL
      • MKNOD
      • SETUID
      • SETGID
        runAsUser:
        type: RunAsAny
        seLinuxContext:
        type: MustRunAs
        supplementalGroups:
        type: RunAsAny
        users:
      • system:serviceaccount:mcp-vault:vault-unsealer
        volumes:
      • configMap
      • hostPath
      • secret

      we can see that the pod originally has this scc:

      oc get pod machine-config-operator-7f57686f5c-g895k -o yaml | grep scc
      openshift.io/scc: hostmount-anyuid

      After applying the new SCC ( even if we set a higher priority ) the pod is showing after restart:

      oc get pod machine-config-operator-7f57686f5c-jg2jv -o yaml | grep scc
      openshift.io/scc: vault-unsealer

              team-mco Team MCO
              openshift-crt-jira-prow OpenShift Prow Bot
              Rio Liu Rio Liu
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: