-
Bug
-
Resolution: Done
-
Undefined
-
None
-
openshift-4.10.z, openshift-4.8.z
-
None
-
False
-
None
-
False
-
-
Deployment that specify seccomp profile at security context level is not able to identify the correct scc, even if it's created.
Steps to reproduce issue:
- create a scc with the required capabilities
- create the sa
- role binding the sa with the scc
- create the deployment
Required Security Capabilities are:
~~~
serviceAccountName: hellosa
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
~~~
Current Behavior:
Error event reported
~~~
Error creating: pods "hello-6967cf9864-h4kc8" is forbidden: unable to validate against any security context constraint: [pod.metadata.annotations.seccomp.security.alpha.kubernetes.io/pod: *Forbidden: seccomp may not be set pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/ubi-minimal*: Forbidden: seccomp may not be set provider "anyuid": Forbidden: not usable by user or serviceaccount pod.metadata.annotations.seccomp.security.alpha.kubernetes.io/pod: Forbidden: seccomp may not be set pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/ubi-minimal: Forbidden: seccomp may not be set provider "nonroot": Forbidden: not usable by user or serviceaccount provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount provider "hostnetwork": Forbidden: not usable by user or serviceaccount provider "hostaccess": Forbidden: not usable by user or serviceaccount provider "node-exporter": Forbidden: not usable by user or serviceaccount provider "privileged": Forbidden: not usable by user or serviceaccount]
~~~
Expectation:
Customer expect not event errors when deployment is created with the required seccomp profile at security context configuration.
Environment:
OCP 4.8, OCP 4.10
