OpenShift does not evaluate an scc that a pod/serviceAccount has access to

Latest response

Sometime, OpenShift will not evaluate an scc that a pod has access to (either specifically, by specifying the pod's serviceaccount in the 'users' field/granting 'use' for the scc to a service account, or by group system:authenticated like in the case of 'restricted')

For example, on this OS 4.9 cluster, I'm looking at this ingress deployment.
The replica-set reports:
'pods "ingress-nginx-controller-7c884b5f5b-" is forbidden: unable to
validate against any security context constraint: [
provider "anyuid": Forbidden:
not usable by user or serviceaccount, spec.containers[0].securityContext.allowPrivilegeEscalation:
Invalid value: true: Allowing privilege escalation for containers is not allowed,
spec.containers[0].securityContext.capabilities.add: Invalid value: "NET_BIND_SERVICE":
capability may not be added,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "infra-ssp-fluent-bit": Forbidden: not usable by user or serviceaccount,
provider "node-exporter": Forbidden: not usable by user r serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]'
While there are 2 profiles that are allowed for this service account and are not even being evaluated:
the OOTB restricted profile, and the ingress-nginx-scc I've created that has its users containing the ingress-nginx sa.
scc:
users:
- system:serviceaccount:ingress:ingress-nginx-controller
- system:serviceaccount:ingress:ingress-nginx-admission
- system:serviceaccount:ingress:ingress-nginx
Pod:
serviceAccount: ingress-nginx

I've also tried granting 'use' access using the role and rolebinding approach.

Similarly, with Openshift 4.11, I can see it lists the restricted scc(which from some reason it thinks is forbidden), but not restricted-v2..
pods "ingress-nginx-controller-586f4c55cb-" is forbidden:
unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.allowPrivilegeEscalation: Invalid value: true: Allowing privilege escalation for containers is not allowed,
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "node-exporter": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]

What am I missing here?

ClusterVersion: Stable at "4.9.24"
ClusterOperators:
All healthy and stable

UC

Responses