Uploaded image for project: 'Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces) '
  1. Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces)
  2. CRW-8251

Allow devspace-operator to run in NS w/ enforce=restricted pod security

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • Release Notes
    • Hide
      = Operator can now run in namespaces with restricted Pod Security Standards

      With this release, the operator and its operands can run in namespaces that have the `pod-security.kubernetes.io/enforce=restricted` label. For more information, see the Kubernetes documentation about link:https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/[Enforcing Pod Security Standards with Namespace Labels].
      Show
      = Operator can now run in namespaces with restricted Pod Security Standards With this release, the operator and its operands can run in namespaces that have the `pod-security.kubernetes.io/enforce=restricted` label. For more information, see the Kubernetes documentation about link: https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/ [Enforcing Pod Security Standards with Namespace Labels].
    • Enhancement
    • Done

      Customer wants to be able to run devspace-operator in a Namespace with Pod Security Standard with enforce=restricted.

      When enabling Pod Security with enforce=restricted, the operator never starts and security violation event is recorded.

      Step to reproduce for new installation:
      $ oc create ns openshift-devspaces
      $ oc label ns/openshift-devspaces pod-security.kubernetes.io/enforce=restricted
      $ oc label ns/openshift-devspaces pod-security.kubernetes.io/enforce-version=v1.25
      and proceed with the installation as usual in this Namespace which results in the following events message:
      ///
      (combined from similar events): Error creating: pods "devspaces-operator-84d965c4db-mzbsq" is forbidden: violates PodSecurity "restricted:v1.25": runAsNonRoot != true (pod or container "devspaces-operator" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "devspaces-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
      ///

      Currently only the devworkspace-controller-manager and devworkspace-webhook-server deployment support it without modification.

      Known workaround:
       patching the ClusterServiceVersion(csv) using the following:
      cat <<EOF> patch-file.json
      [
      {
      "op": "add",
      "path": "/spec/install/spec/deployments/0/spec/template/spec/containers/0/securityContext",
      "value":
      {
      "seccompProfile":

      { "type": "RuntimeDefault" }

      }
      }
      ]
      EOF

      $ oc patch csv devspacesoperator.v3.17.0 --patch-file patch-file.json --type json

      And force restart the deployment of the operator
      $ oc scale --replicas=0 deployment devspaces-operator
      $ oc scale --replicas=1 deployment devspaces-operator

      Tested for 3.17.0, 3.18.0, 3.18.1 and 3.18.1-0.1739475915

              abazko Anatolii Bazko
              rh-ee-scaps Sebastien Caps
              Mykhailo Kuznietsov Mykhailo Kuznietsov
              Gaurav Trivedi Gaurav Trivedi
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: