trident icon indicating copy to clipboard operation
trident copied to clipboard
verified publisher icon NetApp

trident-controller SCC has priority 10 instead of 0

Open zemiak opened this issue 1 year ago • 1 comments

Describe the bug SecurityContextConstraint "trident-controller" has a priority 10. It was found out by our Redhat Support when doing a regular check of the cluster.

According to Redhat, this a bad practice and the priority should be 0 or not defined, because it causes higher resource allocation and execution precedence over most user workloads. This might be unnecessary and consume shared resources, potentially impacting other applications.

After patching the priority to 0 and restarting the operator pod, the priority is back to 10.

Environment Openshift version 4.12.46, Kubernetes version v1.25.16+a4e782e

  • Trident version: 23.10.0 (post 1.25)
  • Operator based installation
  • Kubernetes version: v1.25.16+a4e782e
  • Kubernetes orchestrator: Openshift v4.12.46
  • OS: RH CoreOS

To Reproduce oc get securitycontextconstraints -A | grep trident

trident-controller                false   <no value>             MustRunAs   RunAsAny           RunAsAny    RunAsAny    10           false            ["downwardAPI","emptyDir","projected"]
trident-node-linux                true    ["SYS_ADMIN"]          RunAsAny    RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["downwardAPI","emptyDir","hostPath","projected"]

oc patch securitycontextconstraints trident-controller --type='merge' -p '{"priority":0}' oc get securitycontextconstraints -A | grep trident

trident-controller                false   <no value>             MustRunAs   RunAsAny           RunAsAny    RunAsAny    0            false            ["downwardAPI","emptyDir","projected"]
trident-node-linux                true    ["SYS_ADMIN"]          RunAsAny    RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["downwardAPI","emptyDir","hostPath","projected"]

oc delete po trident-controller-84fbdcf99c-mnbpr -n trident

pod "trident-controller-84fbdcf99c-mnbpr" deleted

oc get securitycontextconstraints -A | grep trident

trident-controller                false   <no value>             MustRunAs   RunAsAny           RunAsAny    RunAsAny    10           false            ["downwardAPI","emptyDir","projected"]
trident-node-linux                true    ["SYS_ADMIN"]          RunAsAny    RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["downwardAPI","emptyDir","hostPath","projected"]

Expected behavior The priority should be "no value" or 0.

Additional context https://access.redhat.com/support/cases/#/case/03716635

zemiak avatar Feb 13 '24 15:02 zemiak

I think this will be of interest - https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html#ocp-4-14-auth-required-scc

akalenyu avatar Feb 15 '24 16:02 akalenyu

This has been fixed, and the issue can be closed now: https://github.com/NetApp/trident/commit/9e0bc85a417fbcbe428a8561d67c3cc22e0b6753

shashank-netapp avatar May 18 '24 11:05 shashank-netapp

This fix will be in the 24.06 release.

clintonk avatar May 18 '24 17:05 clintonk