Details
-
Bug
-
Resolution: Done
-
Critical
-
1.6.0, 1.4.11, 1.5.5
-
5
-
False
-
None
-
False
-
Previous GitOps releases were affected by an issue with dex pods failing with CreateContainerConfigError when a SCC of 'anyuid' is assigned to the dex serviceAccount. This issue is fixed by assigning a default user id to the dex container.
-
GITOPS Sprint 223, GITOPS Sprint 224
Description
Reliably (3 times now), using the following repo and branch:
https://github.com/mhjacks/multicloud-gitops/tree/repro-dex-failure
(Installing the pattern, by running `make install` on a fresh cluster)
The dex pod in the multicloud-gitops-hub namespace will fail to come up:
container has runAsNonRoot and image will run as root (pod: "hub-gitops-dex-server-68bfc4bf9-656k7_multicloud-gitops-hub(ea242591-5b38-4c8b-b4c5-d4dd04144ebf)", container: dex)
The same manifests will apply without error on Gitops 1.5.
The cluster-scoped installation dex pod in openshift-gitops comes up without error and works for Oauth with the default cluster-admin account.
Cluster-scoped dex pod securityContext:
```
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
- KILL
- MKNOD
- SETGID
- SETUID
runAsNonRoot: true
runAsUser: 1000650000
```
non-cluster-scoped securityContext:
```
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
- MKNOD
runAsNonRoot: true
```
Attachments
Issue Links
- links to
- mentioned on
