AUTH-482: set required-scc for openshift workloads

[liouk]

Workloads affected:

• openshift-ingress/router-default deployment
• openshift-ingress-canary/ingress-canary daemonset
• openshift-ingress-operator/ingress-operator deployment

[openshift-ci-robot]

@liouk: This pull request references AUTH-482 which is a valid jira issue.

In response to this:

Workloads affected:

• openshift-ingress/router-default deployment
• openshift-ingress-canary/ingress-canary daemonset
• openshift-ingress-operator/ingress-operator deployment

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[liouk]

/retest

[candita]

/assign @rfredette

[Miciah]

The deployment may use "hostnetwork" or "restricted", depending on the ingresscontroller configuration (specifically IngressController.spec.endpointPublishingStrategy.type). So I think we will need desiredRouterDeployment in pkg/operator/controller/ingress/deployment.go to set this annotation at run-time —right?

By the way, this PR reminds me of some related PRs, #743 and #981, which updated the security context based on previous customer cases where we observed that the wrong SCC could be selected.

[liouk]

Thanks for the pointer @Miciah 🙂 I've pushed a change that addresses this.

[liouk]

@Miciah as far as I can see, the router SA only has access to the hostnetwork SCC, and as a result it can't use restricted (which is why the tests fail).

Am I missing something in my changes about the ingress controller configuration for the deployment?

[Miciah]

You're right, it seems that we missed this change from the OCP 4.11 release notes:

The restricted SCC is no longer available to users of new clusters, unless the access is explicitly granted. In clusters originally installed in OpenShift Container Platform 4.10 or earlier, all authenticated users can use the restricted SCC when upgrading to OpenShift Container Platform 4.11 and later.

And observations of CI artifacts confirm this:

• periodic-ci-openshift-release-master-ci-4.10-upgrade-from-stable-4.9-e2e-aws-ovn-upgrade has openshift.io/scc: restricted.
• periodic-ci-openshift-release-master-ci-4.10-e2e-aws-serial has openshift.io/scc: restricted.
• periodic-ci-openshift-release-master-ci-4.11-upgrade-from-stable-4.10-e2e-aws-ovn-upgrade has openshift.io/scc: restricted.
• periodic-ci-openshift-release-master-ci-4.11-e2e-aws-serial has openshift.io/scc: hostnetwork.
• periodic-ci-openshift-release-master-ci-4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade has openshift.io/scc: hostnetwork.
• periodic-ci-openshift-release-master-ci-4.12-e2e-aws-sdn-serial has openshift.io/scc: hostnetwork.

The intention is definitely that we use "restricted" when we don't need "hostnetwork". I've filed OCPBUGS-34418 and posted #1064 to address this oversight. Thanks for pointing it out!

[liouk]

Glad this helped :) I'll wait for #1064 to merge and then rebase this and try again 👍

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from rfredette. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[liouk]

/retest

failures seem to be infra/connectivity related

[liouk]

/retest-required

[openshift-ci]

@liouk: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn	bce1134	link	true	/test e2e-aws-ovn
ci/prow/e2e-azure-ovn	bce1134	link	false	/test e2e-azure-ovn
ci/prow/e2e-gcp-ovn	bce1134	link	false	/test e2e-gcp-ovn
ci/prow/e2e-aws-gatewayapi	bce1134	link	false	/test e2e-aws-gatewayapi
ci/prow/e2e-aws-operator	bce1134	link	true	/test e2e-aws-operator
ci/prow/e2e-aws-ovn-single-node	bce1134	link	false	/test e2e-aws-ovn-single-node
ci/prow/e2e-aws-ovn-serial	bce1134	link	true	/test e2e-aws-ovn-serial
ci/prow/e2e-azure-operator	bce1134	link	true	/test e2e-azure-operator
ci/prow/e2e-gcp-operator	bce1134	link	true	/test e2e-gcp-operator
ci/prow/e2e-hypershift	bce1134	link	true	/test e2e-hypershift

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.