StarlingX

Pod security policy defaults not applied after upgrade

Bug #1885178 reported by Jerry Sun on 2020-06-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Medium	Jerry Sun

Bug Description

Brief Description
-----------------
After upgrading, the default pod security policy files are not applied, since they are applied during bootstrap. This means if pod security policy is enabled after an upgrade, there will be deployment issues

Severity
--------
Major

Steps to Reproduce
------------------
Upgrade a system and enable pod security policy
deploy pods to kube-system

Expected Behavior
------------------
deployment successful

Actual Behavior
----------------
pods are not able to deploy due to pod security policies

Reproducibility
---------------
Reproducible

System Configuration
--------------------
multi-node system

Branch/Pull Time/Commit
-----------------------
2020-06-25

Test Activity
-------------
developer testing

Workaround
----------
Manually run the following after upgrade, but before turning on pod security policies:
kubectl apply -f /usr/share/ansible/stx-ansible/playbooks/roles/bootstrap/bringup-essential-services/files/psp-policies.yaml

Tags:

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-06-25:

stx.4.0 / medium priority - should be fixed, but there is a manual workaround, so not critical.

tags:	added: stx.4.0 stx.update
Changed in starlingx:
importance:	Undecided → Medium
status:	New → Triaged
assignee:	nobody → Jerry Sun (jerry-sun-u)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-26: Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/738254

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-27: Fix merged to config (master)

Reviewed: https://review.opendev.org/738254
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=51f7f7c03659c0f607887fc29801a38093a0b0d6
Submitter: Zuul
Branch: master

commit 51f7f7c03659c0f607887fc29801a38093a0b0d6
Author: Jerry Sun <email address hidden>
Date: Fri Jun 26 13:49:41 2020 -0400

Apply mandatory pod security policies during upgrade

    Ansible applies mandatory pod security policies, which are not applied
    during an upgrade. This commit adds a migration script to apply the
    pod security policy file applied by ansible during bootstrap.

Closes-bug: 1885178

Change-Id: Icfbfa2f49d9657b43e903b1f22c81e3cf6a8a9f6
Signed-off-by: Jerry Sun <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.