-
Task
-
Resolution: Done
-
Critical
-
None
-
None
-
5
-
False
-
None
-
False
-
With this update, the Operator will now configure the Argo CD workloads with the correct permissions to satisfy the Pod Security Admission that has been enabled for Kubernetes 1.24.
-
GITOPS Sprint 219
OpenShift 4.11 will enable pod security admission (https://kubernetes.io/docs/concepts/security/pod-security-admission/) using the “restricted” profile by default (https://kubernetes.io/docs/concepts/security/pod-security-standards/)
When running the argocd-operator on OpenShift 4.11, the following related warnings show up in the log
1.6528221489928489e+09 INFO KubeAPIWarningLogger would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "copyutil", "dex" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "copyutil", "dex" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "copyutil", "dex" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "copyutil", "dex" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
1.652822149039244e+09 INFO KubeAPIWarningLogger would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "redis" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "redis" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "redis" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "redis" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
1.652822149104366e+09 INFO KubeAPIWarningLogger would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "copyutil", "argocd-repo-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "copyutil", "argocd-repo-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "copyutil", "argocd-repo-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "copyutil", "argocd-repo-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
1.652822149168233e+09 INFO KubeAPIWarningLogger would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "argocd-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "argocd-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "argocd-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "argocd-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
1
1.6528221495271401e+09 INFO KubeAPIWarningLogger would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "argocd-application-controller" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "argocd-application-controller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "argocd-application-controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "argocd-application-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Acceptance Criteria
- See the email in the comment. Asset the pods can be set with `restricted` or `privileged` profile and label them accordingly.