-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.22
Summary
The test `[sig-auth][Feature:SCC][Early] should not have pod creation failures during install` is failing in TechPreview feature set variants due to SCC validation failures for the operator-controller-controller-manager component.
Test Details
- *Test Name:* [sig-auth][Feature:SCC][Early] should not have pod creation failures during install [Suite:openshift/conformance/parallel]
- *Test ID:* openshift-tests:2086ba47170a75add4548a707f2aa761
- *Component:* oauth-apiserver
- *Capability:* SCC
- *Release:* 4.22
ffected Regressions
- *Regression 36104* (ARM64, AWS, TechPreview, Serial) - [Sippy Test Details](https://sippy-auth.dptools.openshift.org/sippy-ng/component_readiness/test_details?Architecture=arm64&FeatureSet=techpreview&Installer=ipi&LayeredProduct=none&Network=ovn&Platform=aws&Suite=serial&Topology=ha&Upgrade=none&baseEndTime=2026-02-03T23%3A59%3A59Z&baseRelease=4.21&baseStartTime=2026-01-04T00%3A00%3A00Z&capability=SCC&columnGroupBy=Network%2CPlatform%2CTopology&component=oauth-apiserver&confidence=95&dbGroupBy=Architecture%2CFeatureSet%2CInstaller%2CLayeredProduct%2CNetwork%2CPlatform%2CSuite%2CTopology%2CUpgrade&environment=Architecture%3Aarm64+FeatureSet%3Atechpreview+Installer%3Aipi+LayeredProduct%3Anone+Network%3Aovn+Platform%3Aaws+Suite%3Aserial+Topology%3Aha+Upgrade%3Anone&flakeAsFailure=false&ignoreDisruption=true&ignoreMissing=false&includeMultiReleaseAnalysis=true&includeVariant=Architecture%3Aamd64&includeVariant=Architecture%3Aarm64&includeVariant=Architecture%3Amulti&minFail=3&passRateAllTests=0&passRateNewTests=95&pity=5&sampleEndTime=2026-03-05T20%3A00%3A00Z&sampleRelease=4.22&sampleStartTime=2026-02-26T00%3A00%3A00Z&testId=openshift-tests%3A2086ba47170a75add4548a707f2aa761)
- *Regression 36121* (AMD64, Azure, TechPreview)
- *Regression 36124* (AMD64, AWS, TechPreview, Serial)
Regression Opened
2026-03-04
Affected Variants
All variants use TechPreview feature set:
- AWS (ARM64 and AMD64)
- Azure (AMD64)
Failure Pattern
- *Pattern:* Flaky (10% failure rate)
- *First Observed:* 2026-03-03
- *Consistency:* 100% identical error across all failures
Error Message
fail [github.com/openshift/origin/test/extended/authorization/scc.go:76]:
1 pods failed before test on SCC errors
Error creating: pods "operator-controller-controller-manager-" is forbidden:
unable to validate against any security context constraint:
provider "privileged": Forbidden: not usable by user or serviceaccount
for ReplicaSet.apps/v1/operator-controller-controller-manager-
-n openshift-operator-controller happened 12 times
Root Cause Analysis
The `operator-controller-controller-manager` pods in the `openshift-operator-controller` namespace cannot validate against any Security Context Constraint. The serviceaccount is being denied the
"privileged" SCC provider, preventing pod creation.
Suspect Changes (Payload 4.22.0-0.nightly-multi-2026-03-03-150411)
Potentially related PRs:
- cluster-capi-operator#480: Added missing CVO annotations to RBAC
- cluster-ingress-operator#1310: Changed serviceaccount usage patterns for operators
- cluster-network-operator#2837: Added new ValidatingAdmissionPolicy
Historical Context
This test has exhibited similar SCC failures in previous releases:
OCPBUGS-59574(Closed): SCC event-exporter errorsOCPBUGS-58231(Closed): Similar test regressions across platforms
The current issue appears to be a recurrence affecting a different component (operator-controller instead of event-exporter).
Debugging References
- Test code: github.com/openshift/origin/test/extended/authorization/scc.go:76
- Failed component: operator-controller-controller-manager (openshift-operator-controller namespace)
- Resource type: ReplicaSet.apps/v1
Filed by: jgeorge@redhat.com
