trident-controller SCC has priority 10 instead of 0
zemiak opened this issue · 3 comments
Describe the bug
SecurityContextConstraint "trident-controller" has a priority 10. It was found out by our Redhat Support when doing a regular check of the cluster.
According to Redhat, this a bad practice and the priority should be 0 or not defined, because it causes higher resource allocation and execution precedence over most user workloads. This might be unnecessary and consume shared resources, potentially impacting other applications.
After patching the priority to 0 and restarting the operator pod, the priority is back to 10.
Environment
Openshift version 4.12.46, Kubernetes version v1.25.16+a4e782e
- Trident version: 23.10.0 (post 1.25)
- Operator based installation
- Kubernetes version: v1.25.16+a4e782e
- Kubernetes orchestrator: Openshift v4.12.46
- OS: RH CoreOS
To Reproduce
oc get securitycontextconstraints -A | grep trident
trident-controller false <no value> MustRunAs RunAsAny RunAsAny RunAsAny 10 false ["downwardAPI","emptyDir","projected"]
trident-node-linux true ["SYS_ADMIN"] RunAsAny RunAsAny RunAsAny RunAsAny <no value> false ["downwardAPI","emptyDir","hostPath","projected"]
oc patch securitycontextconstraints trident-controller --type='merge' -p '{"priority":0}'
oc get securitycontextconstraints -A | grep trident
trident-controller false <no value> MustRunAs RunAsAny RunAsAny RunAsAny 0 false ["downwardAPI","emptyDir","projected"]
trident-node-linux true ["SYS_ADMIN"] RunAsAny RunAsAny RunAsAny RunAsAny <no value> false ["downwardAPI","emptyDir","hostPath","projected"]
oc delete po trident-controller-84fbdcf99c-mnbpr -n trident
pod "trident-controller-84fbdcf99c-mnbpr" deleted
oc get securitycontextconstraints -A | grep trident
trident-controller false <no value> MustRunAs RunAsAny RunAsAny RunAsAny 10 false ["downwardAPI","emptyDir","projected"]
trident-node-linux true ["SYS_ADMIN"] RunAsAny RunAsAny RunAsAny RunAsAny <no value> false ["downwardAPI","emptyDir","hostPath","projected"]
Expected behavior
The priority should be "no value" or 0.
Additional context
https://access.redhat.com/support/cases/#/case/03716635
I think this will be of interest - https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html#ocp-4-14-auth-required-scc
This has been fixed, and the issue can be closed now: 9e0bc85
This fix will be in the 24.06 release.