-
Bug
-
Resolution: Not a Bug
-
Undefined
-
None
-
None
-
None
-
False
-
-
False
-
-
-
Moderate
Description of the problem:
Install orchestrator gitops via helm chart succeeds, but post install hook fails with the following error:
Error: failed post-install: warning: Hook post-install gitops-operator/templates/wait-for-crd.yaml failed: 1 error occurred: * pods "cluster-check" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "crd-check" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "crd-check" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "crd-check" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "crd-check" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
The install succeeds however, and subsequent reinstalls do not have the error (I assume the post install hook is skipped because it was determined installed already)
helm upgrade --install orchestrator-gitops gitops-operator/ -f gitops-operator/values.yaml -n orchestrator-gitops --create-namespace --set namespaces={orchestrator-gitops} WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /home/kni/clusterconfigs/auth/kubeconfig W0423 20:03:49.815398 4097765 warnings.go:70] unknown field "spec.dex" W0423 20:03:49.815467 4097765 warnings.go:70] unknown field "spec.resourceCustomizations" Release "orchestrator-gitops" has been upgraded. Happy Helming! NAME: orchestrator-gitops LAST DEPLOYED: Tue Apr 23 20:03:42 2024 NAMESPACE: orchestrator-gitops STATUS: deployed REVISION: 3 TEST SUITE: None
Version:
OCP 4.16 helm list -A WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /home/kni/clusterconfigs/auth/kubeconfig NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION orchestrator-gitops orchestrator-gitops 3 2024-04-23 20:03:42.919079485 +0300 IDT deployed gitops-operator-0.4.3 v2.4.11 orchestrator-pipelines orchestrator-gitops 1 2024-04-23 19:50:44.834729002 +0300 IDT deployed pipelines-operator-0.1.0 v2.4.11 --- (Last commit from janus idp repo is commit 0a397413df3f33da7e60142d0cc681522f7d7888 (HEAD -> main, origin/main, origin/HEAD) Author: Daniele Martinoli <86618610+dmartinol@users.noreply.github.com> Date: Mon Apr 8 16:54:44 2024 +0200 remove excelusion consitions
How reproducible:
100%
Steps to reproduce:
1. Follow these steps to deploy the gitops and argo cd operators
2. Install gitops operator
helm upgrade --install orchestrator-gitops gitops-operator/ -f gitops-operator/values.yaml -n orchestrator-gitops --create-namespace --set namespaces={orchestrator-gitops}
Actual results:
Error: failed post-install: warning: Hook post-install gitops-operator/templates/wait-for-crd.yaml failed: 1 error occurred: * pods "cluster-check" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "crd-check" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "crd-check" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "crd-check" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "crd-check" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Expected results:
No error - post install hook to succeed