trident-controller SCC has priority 10 instead of 0

[zemiak]

Describe the bug SecurityContextConstraint "trident-controller" has a priority 10. It was found out by our Redhat Support when doing a regular check of the cluster.

According to Redhat, this a bad practice and the priority should be 0 or not defined, because it causes higher resource allocation and execution precedence over most user workloads. This might be unnecessary and consume shared resources, potentially impacting other applications.

After patching the priority to 0 and restarting the operator pod, the priority is back to 10.

Environment Openshift version 4.12.46, Kubernetes version v1.25.16+a4e782e

• Trident version: 23.10.0 (post 1.25)
• Operator based installation
• Kubernetes version: v1.25.16+a4e782e
• Kubernetes orchestrator: Openshift v4.12.46
• OS: RH CoreOS

To Reproduce oc get securitycontextconstraints -A | grep trident

trident-controller                false   <no value>             MustRunAs   RunAsAny           RunAsAny    RunAsAny    10           false            ["downwardAPI","emptyDir","projected"]
trident-node-linux                true    ["SYS_ADMIN"]          RunAsAny    RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["downwardAPI","emptyDir","hostPath","projected"]

oc patch securitycontextconstraints trident-controller --type='merge' -p '{"priority":0}' oc get securitycontextconstraints -A | grep trident

trident-controller                false   <no value>             MustRunAs   RunAsAny           RunAsAny    RunAsAny    0            false            ["downwardAPI","emptyDir","projected"]
trident-node-linux                true    ["SYS_ADMIN"]          RunAsAny    RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["downwardAPI","emptyDir","hostPath","projected"]

oc delete po trident-controller-84fbdcf99c-mnbpr -n trident

pod "trident-controller-84fbdcf99c-mnbpr" deleted

oc get securitycontextconstraints -A | grep trident

trident-controller                false   <no value>             MustRunAs   RunAsAny           RunAsAny    RunAsAny    10           false            ["downwardAPI","emptyDir","projected"]
trident-node-linux                true    ["SYS_ADMIN"]          RunAsAny    RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["downwardAPI","emptyDir","hostPath","projected"]

Expected behavior The priority should be "no value" or 0.

Additional context https://access.redhat.com/support/cases/#/case/03716635

[akalenyu]

I think this will be of interest - https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html#ocp-4-14-auth-required-scc

[shashank-netapp]

This has been fixed, and the issue can be closed now: https://github.com/NetApp/trident/commit/9e0bc85a417fbcbe428a8561d67c3cc22e0b6753

[clintonk]

This fix will be in the 24.06 release.