-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.18.z
-
None
-
None
-
False
-
-
None
-
Moderate
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Customer is running upstream istio (not OSSM) and having this weird issue with SCC when the sidecar container is injected into the pod.
The customer runs an application with FTP that requires couple of capabilities to be added. Customer created custom SCC for that, added all the capabilities, but once the pod is scheduled, the Istio SCC is added instead.
We've checked the custom SCC and it is correct and it is correctly assigned to the Service Account. Also tried the required scc annotation.
However, it doesn't pickup the custom SCC and uses the Istio one instead.
The audit logs show:
```
"securitycontextconstraints.admission.openshift.io/chosen": "<scc-istio>",
"securitycontextconstraints.admission.openshift.io/reason": "\"<custom-scc>\" is the only one not too restrictive and not denied",
"securityserviceconstraints.admission.openshift.io/denied": ""
```
Under the Istio SCC the FTP application can't function correctly.
Version-Release number of selected component (if applicable):
OpenShift Container Platform 4.18
How reproducible:
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info: