Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-2026

Enable pod security admission with restricted profile

    XMLWordPrintable

Details

    • 5
    • False
    • None
    • False
    • With this update, the Operator will now configure the Argo CD workloads with the correct permissions to satisfy the Pod Security Admission that has been enabled for Kubernetes 1.24.
    • GITOPS Sprint 219

    Description

      OpenShift 4.11 will enable pod security admission (https://kubernetes.io/docs/concepts/security/pod-security-admission/) using the “restricted” profile by default (https://kubernetes.io/docs/concepts/security/pod-security-standards/)

       

      When running the argocd-operator on OpenShift 4.11, the following related warnings show up in the log

      1.6528221489928489e+09 INFO KubeAPIWarningLogger would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "copyutil", "dex" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "copyutil", "dex" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "copyutil", "dex" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "copyutil", "dex" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      1.652822149039244e+09 INFO KubeAPIWarningLogger would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "redis" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "redis" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "redis" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "redis" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      1.652822149104366e+09 INFO KubeAPIWarningLogger would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "copyutil", "argocd-repo-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "copyutil", "argocd-repo-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "copyutil", "argocd-repo-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "copyutil", "argocd-repo-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      1.652822149168233e+09 INFO KubeAPIWarningLogger would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "argocd-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "argocd-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "argocd-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "argocd-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
      1

      1.6528221495271401e+09 INFO KubeAPIWarningLogger would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "argocd-application-controller" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "argocd-application-controller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "argocd-application-controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "argocd-application-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      Acceptance Criteria

      • See the email in the comment. Asset the pods can be set with `restricted` or `privileged` profile and label them accordingly.

      Attachments

        Activity

          People

            jpitman63 John Pitman
            jpitman63 John Pitman
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: