Bug 2114602: pkg/cvo/updatepayload: Set 'readOnlyRootFilesystem: false' #811

openshift-cherrypick-robot · 2022-08-02T22:17:44Z

This is an automated cherry-pick of #807

/assign wking

This blocks us from being associated with SecurityContextConstraints that set 'readOnlyRootFilesystem: true', because from [1]: > The set of SCCs that admission uses to authorize a pod are > determined by the user identity and groups that the user belongs > to. Additionally, if the pod specifies a service account, the set of > allowable SCCs includes any constraints accessible to the service > account. > > Admission uses the following approach to create the final security > context for the pod: > > 1. Retrieve all SCCs available for use. > 2. Generate field values for security context settings that were not > specified on the request. > 3. Validate the final settings against the available constraints. If we leave readOnlyRootFilesystem implicit, we may get associated with a SCC that set 'readOnlyRootFilesystem: true', and the version-* actions will fail like [2]: $ oc -n openshift-cluster-version get pods NAME READY STATUS RESTARTS AGE cluster-version-operator-6b5c8ff5c8-4bmxx 1/1 Running 0 33m version-4.10.20-smvt9-6vqwc 0/1 Error 0 10s $ oc -n openshift-cluster-version logs version-4.10.20-smvt9-6vqwc oc logs version-4.10.20-smvt9-6vqwc mv: cannot remove '/manifests/0000_00_cluster-version-operator_00_namespace.yaml': Read-only file system mv: cannot remove '/manifests/0000_00_cluster-version-operator_01_adminack_configmap.yaml': Read-only file system ... For a similar change in another repository, see [3]. Also likely relevant, 4.10 both grew pod-security.kubernetes.io/* annotations [4] and cleared the openshift.io/run-level annotation [5]. $ git --no-pager log --oneline -3 origin/release-4.10 -- install/0000_00_cluster-version-operator_00_namespace.yaml 539e944 (origin/pr/623) Fix run-level label to empty string. f58dd1c (origin/pr/686) install: Add description annotations to manifests 6e5e23e (origin/pr/668) podsecurity: enforce privileged for openshift-cluster-version namespace None of those were in 4.9: $ git --no-pager log --oneline -1 origin/release-4.9 -- install/0000_00_cluster-version-operator_00_namespace.yaml 7009736 (origin/pr/543) Add management workload annotations And all of them landed in 4.10 via master (so they're in 4.10 before it GAed, and in 4.11 and later too): $ git --no-pager log --oneline -4 origin/master -- install/0000_00_cluster-version-operator_00_namespace.yaml 539e944 (origin/pr/623) Fix run-level label to empty string. [1]: https://docs.openshift.com/container-platform/4.10/authentication/managing-security-context-constraints.html#admission_configuring-internal-oauth [2]: https://bugzilla.redhat.com/show_bug.cgi?id=2110590#c0 [3]: openshift/cluster-openshift-apiserver-operator#437 [4]: openshift#668 [5]: openshift#623

openshift-ci · 2022-08-02T22:18:01Z

@openshift-cherrypick-robot: Bugzilla bug 2110590 has been cloned as Bugzilla bug 2114602. Retitling PR to link against new bug.
/retitle [release-4.11] Bug 2114602: pkg/cvo/updatepayload: Set 'readOnlyRootFilesystem: false'

Details

In response to this:

[release-4.11] Bug 2110590: pkg/cvo/updatepayload: Set 'readOnlyRootFilesystem: false'

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci · 2022-08-02T22:18:17Z

@openshift-cherrypick-robot: This pull request references Bugzilla bug 2114602, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

6 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target release (4.11.0) matches configured target release for branch (4.11.0)
bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
dependent bug Bugzilla bug 2110590 is in the state VERIFIED, which is one of the valid states (MODIFIED, ON_QA, VERIFIED)
dependent Bugzilla bug 2110590 targets the "4.12.0" release, which is one of the valid target releases: 4.12.0
bug has dependents

Requesting review from QA contact:
/cc @shellyyang1989

Details

In response to this:

[release-4.11] Bug 2114602: pkg/cvo/updatepayload: Set 'readOnlyRootFilesystem: false'

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

wking · 2022-08-02T22:19:14Z

GitHub tracks the target-branch as structured information for the pull requests, and folks reading 4.11 release notes will know that the changes are 4.11 specific, so drop the redundant [release-4.11] from the pull-request title:

/retitle Bug 2114602: pkg/cvo/updatepayload: Set 'readOnlyRootFilesystem: false'

wking

/lgtm

openshift-ci · 2022-08-02T22:19:55Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: openshift-cherrypick-robot, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [wking]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

wking · 2022-08-02T22:21:29Z

I moved the bug to 4.11.z, so the Bugzilla bot will be grumpy now until 4.11 GAs.

/bugzilla refresh

openshift-ci · 2022-08-02T22:21:35Z

@wking: This pull request references Bugzilla bug 2114602, which is invalid:

expected the bug to target the "4.11.0" release, but it targets "4.11.z" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

I moved the bug to 4.11.z, so the Bugzilla bot will be grumpy now until 4.11 GAs.

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-bot · 2022-08-03T01:01:03Z

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

openshift-ci · 2022-08-03T01:01:08Z

@openshift-bot: This pull request references Bugzilla bug 2114602, which is invalid:

expected the bug to target the "4.11.0" release, but it targets "4.11.z" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

shellyyang1989 · 2022-08-03T09:44:13Z

/label qe-approved

LalatenduMohanty · 2022-08-03T14:11:52Z

/label backport-risk-assessed

openshift-bot · 2022-08-04T01:00:43Z

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

openshift-ci · 2022-08-04T01:00:48Z

@openshift-bot: This pull request references Bugzilla bug 2114602, which is invalid:

expected the bug to target the "4.11.0" release, but it targets "4.11.z" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

sdodson · 2022-08-04T18:48:18Z

/bugzilla refresh

openshift-ci · 2022-08-04T18:48:23Z

@sdodson: This pull request references Bugzilla bug 2114602, which is invalid:

expected the bug to target the "4.11.0" release, but it targets "4.11.z" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-bot · 2022-08-05T01:01:05Z

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

openshift-ci · 2022-08-05T01:01:12Z

@openshift-bot: This pull request references Bugzilla bug 2114602, which is invalid:

expected the bug to target the "4.11.0" release, but it targets "4.11.z" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-bot · 2022-08-06T01:01:07Z

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

openshift-ci · 2022-08-06T01:01:14Z

@openshift-bot: This pull request references Bugzilla bug 2114602, which is invalid:

expected the bug to target the "4.11.0" release, but it targets "4.11.z" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-bot · 2022-08-07T01:01:05Z

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

openshift-ci · 2022-08-07T01:01:13Z

@openshift-bot: This pull request references Bugzilla bug 2114602, which is invalid:

expected the bug to target the "4.11.0" release, but it targets "4.11.z" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-bot · 2022-08-08T01:01:07Z

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

openshift-ci · 2022-08-08T01:01:15Z

@openshift-bot: This pull request references Bugzilla bug 2114602, which is invalid:

expected the bug to target the "4.11.0" release, but it targets "4.11.z" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-bot · 2022-08-09T01:01:11Z

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

openshift-ci · 2022-08-09T01:01:18Z

@openshift-bot: This pull request references Bugzilla bug 2114602, which is invalid:

expected the bug to target the "4.11.0" release, but it targets "4.11.z" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-bot · 2022-08-10T01:01:07Z

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

openshift-ci · 2022-08-10T01:01:19Z

@openshift-bot: This pull request references Bugzilla bug 2114602, which is invalid:

expected the bug to target the "4.11.0" release, but it targets "4.11.z" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

wking · 2022-08-10T15:46:49Z

4.11 has GAed. Let's see if the Bugzilla bot config has been updated:

/bugzilla refresh

openshift-ci · 2022-08-10T15:46:56Z

@wking: This pull request references Bugzilla bug 2114602, which is invalid:

expected the bug to target the "4.11.0" release, but it targets "4.11.z" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

4.11 has GAed. Let's see if the Bugzilla bot config has been updated:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

wking · 2022-08-10T20:46:53Z

openshift/release#31215 has landed.

/bugzilla refresh

openshift-ci · 2022-08-10T20:47:00Z

@wking: This pull request references Bugzilla bug 2114602, which is valid.

6 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target release (4.11.z) matches configured target release for branch (4.11.z)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
dependent bug Bugzilla bug 2110590 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE))
dependent Bugzilla bug 2110590 targets the "4.12.0" release, which is one of the valid target releases: 4.12.0
bug has dependents

Requesting review from QA contact:
/cc @shellyyang1989

Details

In response to this:

openshift/release#31215 has landed.

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

jiajliu · 2022-08-16T00:45:50Z

/label cherry-pick-approved

openshift-ci-robot · 2022-08-16T01:32:39Z

/retest-required

Remaining retests: 2 against base HEAD 56a6ae0 and 8 for PR HEAD e4b8793 in total

openshift-ci-robot · 2022-08-16T05:32:26Z

/retest-required

Remaining retests: 1 against base HEAD 56a6ae0 and 7 for PR HEAD e4b8793 in total

openshift-ci · 2022-08-16T06:53:41Z

@openshift-cherrypick-robot: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-ci · 2022-08-16T06:55:50Z

@openshift-cherrypick-robot: All pull requests linked via external trackers have merged:

openshift/cluster-version-operator#811

Bugzilla bug 2114602 has been moved to the MODIFIED state.

Details

In response to this:

Bug 2114602: pkg/cvo/updatepayload: Set 'readOnlyRootFilesystem: false'

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

wking · 2022-08-18T03:24:06Z

Verified.

/cherrypick release-4.10

openshift-cherrypick-robot · 2022-08-18T03:24:46Z

@wking: new pull request created: #824

Details

In response to this:

Verified.

/cherrypick release-4.10

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-cherrypick-robot mentioned this pull request Aug 2, 2022

Bug 2110590: pkg/cvo/updatepayload: Set 'readOnlyRootFilesystem: false' #807

Merged

openshift-ci bot assigned wking Aug 2, 2022

openshift-ci bot changed the title ~~[release-4.11] Bug 2110590: pkg/cvo/updatepayload: Set 'readOnlyRootFilesystem: false'~~ [release-4.11] Bug 2114602: pkg/cvo/updatepayload: Set 'readOnlyRootFilesystem: false' Aug 2, 2022

openshift-ci bot added bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Aug 2, 2022

openshift-ci bot requested review from jottofar, shellyyang1989 and wking August 2, 2022 22:18

openshift-ci bot changed the title ~~[release-4.11] Bug 2114602: pkg/cvo/updatepayload: Set 'readOnlyRootFilesystem: false'~~ Bug 2114602: pkg/cvo/updatepayload: Set 'readOnlyRootFilesystem: false' Aug 2, 2022

wking approved these changes Aug 2, 2022

View reviewed changes

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 2, 2022

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 2, 2022

openshift-ci bot added bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. and removed bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Aug 2, 2022

openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Aug 3, 2022

openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Aug 3, 2022

openshift-ci bot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Aug 10, 2022

openshift-ci bot removed the bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. label Aug 10, 2022

openshift-ci bot added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Aug 16, 2022

openshift-merge-robot merged commit 0520e51 into openshift:release-4.11 Aug 16, 2022

openshift-cherrypick-robot mentioned this pull request Aug 18, 2022

OCPBUGS-233: pkg/cvo/updatepayload: Set 'readOnlyRootFilesystem: false' #824

Merged

Bug 2114602: pkg/cvo/updatepayload: Set 'readOnlyRootFilesystem: false' #811

Bug 2114602: pkg/cvo/updatepayload: Set 'readOnlyRootFilesystem: false' #811

Uh oh!

Conversation

openshift-cherrypick-robot commented Aug 2, 2022

Uh oh!

openshift-ci bot commented Aug 2, 2022

Uh oh!

openshift-ci bot commented Aug 2, 2022

Uh oh!

wking commented Aug 2, 2022

Uh oh!

wking left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-ci bot commented Aug 2, 2022

Uh oh!

wking commented Aug 2, 2022

Uh oh!

openshift-ci bot commented Aug 2, 2022

Uh oh!

openshift-bot commented Aug 3, 2022

Uh oh!

openshift-ci bot commented Aug 3, 2022

Uh oh!

shellyyang1989 commented Aug 3, 2022

Uh oh!

LalatenduMohanty commented Aug 3, 2022

Uh oh!

openshift-bot commented Aug 4, 2022

Uh oh!

openshift-ci bot commented Aug 4, 2022

Uh oh!

sdodson commented Aug 4, 2022

Uh oh!

openshift-ci bot commented Aug 4, 2022

Uh oh!

openshift-bot commented Aug 5, 2022

Uh oh!

openshift-ci bot commented Aug 5, 2022

Uh oh!

openshift-bot commented Aug 6, 2022

Uh oh!

openshift-ci bot commented Aug 6, 2022

Uh oh!

openshift-bot commented Aug 7, 2022

Uh oh!

openshift-ci bot commented Aug 7, 2022

Uh oh!

openshift-bot commented Aug 8, 2022

Uh oh!

openshift-ci bot commented Aug 8, 2022

Uh oh!

openshift-bot commented Aug 9, 2022

Uh oh!

openshift-ci bot commented Aug 9, 2022

Uh oh!

openshift-bot commented Aug 10, 2022

Uh oh!

openshift-ci bot commented Aug 10, 2022

Uh oh!

wking commented Aug 10, 2022

Uh oh!

openshift-ci bot commented Aug 10, 2022

Uh oh!

wking commented Aug 10, 2022

Uh oh!

openshift-ci bot commented Aug 10, 2022

Uh oh!

jiajliu commented Aug 16, 2022

Uh oh!

openshift-ci-robot commented Aug 16, 2022

Uh oh!

openshift-ci-robot commented Aug 16, 2022

Uh oh!

openshift-ci bot commented Aug 16, 2022

Uh oh!

openshift-ci bot commented Aug 16, 2022

Uh oh!

wking commented Aug 18, 2022