OCPBUGS-233: pkg/cvo/updatepayload: Set 'readOnlyRootFilesystem: false' #824
Conversation
This blocks us from being associated with SecurityContextConstraints that set 'readOnlyRootFilesystem: true', because from [1]: > The set of SCCs that admission uses to authorize a pod are > determined by the user identity and groups that the user belongs > to. Additionally, if the pod specifies a service account, the set of > allowable SCCs includes any constraints accessible to the service > account. > > Admission uses the following approach to create the final security > context for the pod: > > 1. Retrieve all SCCs available for use. > 2. Generate field values for security context settings that were not > specified on the request. > 3. Validate the final settings against the available constraints. If we leave readOnlyRootFilesystem implicit, we may get associated with a SCC that set 'readOnlyRootFilesystem: true', and the version-* actions will fail like [2]: $ oc -n openshift-cluster-version get pods NAME READY STATUS RESTARTS AGE cluster-version-operator-6b5c8ff5c8-4bmxx 1/1 Running 0 33m version-4.10.20-smvt9-6vqwc 0/1 Error 0 10s $ oc -n openshift-cluster-version logs version-4.10.20-smvt9-6vqwc oc logs version-4.10.20-smvt9-6vqwc mv: cannot remove '/manifests/0000_00_cluster-version-operator_00_namespace.yaml': Read-only file system mv: cannot remove '/manifests/0000_00_cluster-version-operator_01_adminack_configmap.yaml': Read-only file system ... For a similar change in another repository, see [3]. Also likely relevant, 4.10 both grew pod-security.kubernetes.io/* annotations [4] and cleared the openshift.io/run-level annotation [5]. $ git --no-pager log --oneline -3 origin/release-4.10 -- install/0000_00_cluster-version-operator_00_namespace.yaml 539e944 (origin/pr/623) Fix run-level label to empty string. f58dd1c (origin/pr/686) install: Add description annotations to manifests 6e5e23e (origin/pr/668) podsecurity: enforce privileged for openshift-cluster-version namespace None of those were in 4.9: $ git --no-pager log --oneline -1 origin/release-4.9 -- install/0000_00_cluster-version-operator_00_namespace.yaml 7009736 (origin/pr/543) Add management workload annotations And all of them landed in 4.10 via master (so they're in 4.10 before it GAed, and in 4.11 and later too): $ git --no-pager log --oneline -4 origin/master -- install/0000_00_cluster-version-operator_00_namespace.yaml 539e944 (origin/pr/623) Fix run-level label to empty string. [1]: https://docs.openshift.com/container-platform/4.10/authentication/managing-security-context-constraints.html#admission_configuring-internal-oauth [2]: https://bugzilla.redhat.com/show_bug.cgi?id=2110590#c0 [3]: openshift/cluster-openshift-apiserver-operator#437 [4]: openshift#668 [5]: openshift#623
|
@openshift-cherrypick-robot: An error was encountered cloning bug for cherrypick for bug 2114602 on the Bugzilla server at https://bugzilla.redhat.com. No known errors were detected, please see the full error message for details. Full error message.
response code 401 not 200
Please contact an administrator to resolve this issue, then request a bug refresh with DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
wking
changed the title
|
@openshift-cherrypick-robot: No Bugzilla bug is referenced in the title of this pull request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
jira/severity-moderate
|
@openshift-cherrypick-robot: This pull request references [Jira Issue OCPBUGS-233](https://issues.redhat.com//browse/OCPBUGS-233), which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: openshift-cherrypick-robot, wking The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/jira refresh |
openshift-ci
bot
added
the
approved
|
@wking: This pull request references [Jira Issue OCPBUGS-233](https://issues.redhat.com//browse/OCPBUGS-233), which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Huh. I expected:
to have been fixed by openshift/release#31412. |
….z bugs Avoid [1]: ... expected dependent Jira Issue OCPBUGS-232 to target a version in 4.11.0, but it targets "4.11.z" instead... Now that 4.11 is GA, 4.10.z backports can carry back both changes that landed pre-GA (4.11.0) and post-GA (4.11.z). Follows up on 8276887 (jira-lifecycle-plugin: update target version for 4.11 (openshift#31412), 2022-08-17). [1]: openshift/cluster-version-operator#824 (comment)
|
/label qe-approved |
openshift-ci
bot
added
the
qe-approved
….z bugs (#31442) Avoid [1]: ... expected dependent Jira Issue OCPBUGS-232 to target a version in 4.11.0, but it targets "4.11.z" instead... Now that 4.11 is GA, 4.10.z backports can carry back both changes that landed pre-GA (4.11.0) and post-GA (4.11.z). Follows up on 8276887 (jira-lifecycle-plugin: update target version for 4.11 (#31412), 2022-08-17). [1]: openshift/cluster-version-operator#824 (comment)
|
openshift/release#31442 landed: /jira refresh |
|
@wking: This pull request references [Jira Issue OCPBUGS-233](https://issues.redhat.com//browse/OCPBUGS-233), which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
openshift/release#31462 landed: /jira refresh |
|
@wking: This pull request references [Jira Issue OCPBUGS-233](https://issues.redhat.com//browse/OCPBUGS-233), which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Maybe it took some time to roll out, and now it will work? /jira refresh |
|
@wking: This pull request references [Jira Issue OCPBUGS-233](https://issues.redhat.com//browse/OCPBUGS-233), which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
For unclear reasons, the ConfigMap hadn't synced. But I hear it has now: /jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@wking: This pull request references [Jira Issue OCPBUGS-233](https://issues.redhat.com//browse/OCPBUGS-233), which is valid. The bug has been moved to the POST state. 6 validation(s) were run on this bug
Requesting review from QA contact: DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/label backport-risk-assessed |
openshift-ci
bot
added
the
backport-risk-assessed
|
/label cherry-pick-approved |
openshift-ci
bot
added
the
cherry-pick-approved
|
/override ci/prow/e2e-agnostic-upgrade |
|
@wking: Overrode contexts on behalf of wking: ci/prow/e2e-agnostic-upgrade DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/override ci/prow/e2e-agnostic-upgrade |
|
@wking: Overrode contexts on behalf of wking: ci/prow/e2e-agnostic-upgrade DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@openshift-cherrypick-robot: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@openshift-cherrypick-robot: All pull requests linked via external trackers have merged: [Jira Issue OCPBUGS-233](https://issues.redhat.com//browse/OCPBUGS-233) has been moved to the MODIFIED state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
As this scc is based on scc privileged, when it is used by a serviceaccount, it runs as root but since readOnlyRootFilesystem: true, it prevents access to files/folders owned by user root. readOnlyRootFilesystem: true in this scc has caused problems during the upgrades on openshift, because, the version job pod created by CVO, sometimes uses this scc and is unable to remove folders/files owned by user root. List of related issues:- https://access.redhat.com/solutions/5911951 https://access.redhat.com/solutions/6985485 https://issues.redhat.com/browse/OTA-680 openshift/cluster-version-operator#824
7 participants
This is an automated cherry-pick of #811
/assign wking