trident-controller SCC has priority 10 instead of 0

Question

trident-controller SCC has priority 10 instead of 0

zemiak opened this issue 8 months ago · 3 comments

Describe the bug
SecurityContextConstraint "trident-controller" has a priority 10. It was found out by our Redhat Support when doing a regular check of the cluster.

According to Redhat, this a bad practice and the priority should be 0 or not defined, because it causes higher resource allocation and execution precedence over most user workloads. This might be unnecessary and consume shared resources, potentially impacting other applications.

After patching the priority to 0 and restarting the operator pod, the priority is back to 10.

Environment
Openshift version 4.12.46, Kubernetes version v1.25.16+a4e782e

Trident version: 23.10.0 (post 1.25)
Operator based installation
Kubernetes version: v1.25.16+a4e782e
Kubernetes orchestrator: Openshift v4.12.46
OS: RH CoreOS

To Reproduce
oc get securitycontextconstraints -A | grep trident

trident-controller                false   <no value>             MustRunAs   RunAsAny           RunAsAny    RunAsAny    10           false            ["downwardAPI","emptyDir","projected"]
trident-node-linux                true    ["SYS_ADMIN"]          RunAsAny    RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["downwardAPI","emptyDir","hostPath","projected"]

oc patch securitycontextconstraints trident-controller --type='merge' -p '{"priority":0}'
oc get securitycontextconstraints -A | grep trident

trident-controller                false   <no value>             MustRunAs   RunAsAny           RunAsAny    RunAsAny    0            false            ["downwardAPI","emptyDir","projected"]
trident-node-linux                true    ["SYS_ADMIN"]          RunAsAny    RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["downwardAPI","emptyDir","hostPath","projected"]

oc delete po trident-controller-84fbdcf99c-mnbpr -n trident

pod "trident-controller-84fbdcf99c-mnbpr" deleted

oc get securitycontextconstraints -A | grep trident

trident-controller                false   <no value>             MustRunAs   RunAsAny           RunAsAny    RunAsAny    10           false            ["downwardAPI","emptyDir","projected"]
trident-node-linux                true    ["SYS_ADMIN"]          RunAsAny    RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["downwardAPI","emptyDir","hostPath","projected"]

Expected behavior
The priority should be "no value" or 0.

Additional context
https://access.redhat.com/support/cases/#/case/03716635

Answer 1 · 2024-02-15T16:46:56.000Z

I think this will be of interest - https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html#ocp-4-14-auth-required-scc

Answer 2 · 2024-05-18T11:30:52.000Z

This has been fixed, and the issue can be closed now: 9e0bc85

Answer 3 · 2024-05-18T17:10:00.000Z

This fix will be in the 24.06 release.