-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AUTH-482: set required-scc for openshift workloads #1031
base: master
Are you sure you want to change the base?
Conversation
@liouk: This pull request references AUTH-482 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
ded775d
to
ca00203
Compare
/retest |
/assign @rfredette |
@@ -9,6 +9,7 @@ spec: | |||
metadata: | |||
annotations: | |||
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' | |||
openshift.io/required-scc: hostnetwork |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The deployment may use "hostnetwork" or "restricted", depending on the ingresscontroller configuration (specifically IngressController.spec.endpointPublishingStrategy.type
). So I think we will need desiredRouterDeployment
in pkg/operator/controller/ingress/deployment.go
to set this annotation at run-time —right?
By the way, this PR reminds me of some related PRs, #743 and #981, which updated the security context based on previous customer cases where we observed that the wrong SCC could be selected.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the pointer @Miciah 🙂 I've pushed a change that addresses this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Miciah as far as I can see, the router
SA only has access to the hostnetwork
SCC, and as a result it can't use restricted
(which is why the tests fail).
Am I missing something in my changes about the ingress controller configuration for the deployment?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right, it seems that we missed this change from the OCP 4.11 release notes:
The
restricted
SCC is no longer available to users of new clusters, unless the access is explicitly granted. In clusters originally installed in OpenShift Container Platform 4.10 or earlier, all authenticated users can use therestricted
SCC when upgrading to OpenShift Container Platform 4.11 and later.
And observations of CI artifacts confirm this:
- periodic-ci-openshift-release-master-ci-4.10-upgrade-from-stable-4.9-e2e-aws-ovn-upgrade has
openshift.io/scc: restricted
. - periodic-ci-openshift-release-master-ci-4.10-e2e-aws-serial has
openshift.io/scc: restricted
. - periodic-ci-openshift-release-master-ci-4.11-upgrade-from-stable-4.10-e2e-aws-ovn-upgrade has
openshift.io/scc: restricted
. - periodic-ci-openshift-release-master-ci-4.11-e2e-aws-serial has
openshift.io/scc: hostnetwork
. - periodic-ci-openshift-release-master-ci-4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade has
openshift.io/scc: hostnetwork
. - periodic-ci-openshift-release-master-ci-4.12-e2e-aws-sdn-serial has
openshift.io/scc: hostnetwork
.
The intention is definitely that we use "restricted" when we don't need "hostnetwork". I've filed OCPBUGS-34418 and posted #1064 to address this oversight. Thanks for pointing it out!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Glad this helped :) I'll wait for #1064 to merge and then rebase this and try again 👍
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest failures seem to be infra/connectivity related |
/retest-required |
@liouk: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Workloads affected:
openshift-ingress/router-default
deploymentopenshift-ingress-canary/ingress-canary
daemonsetopenshift-ingress-operator/ingress-operator
deployment