Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-6777

gitops-plugin Pods should comply with the Pod Security restricted policy

XMLWordPrintable

    • 3
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      Before this update, the gitops-plugin Deployment installed by the operator had no security context configured. This caused the plugin pod to fail in some cases since it was violating the PodSecurity restricted policy. With this update, the operator configures the necessary security context for the gitops-plugin Deployment so that it complies with the PodSecurity restricted policy.
      Show
      Before this update, the gitops-plugin Deployment installed by the operator had no security context configured. This caused the plugin pod to fail in some cases since it was violating the PodSecurity restricted policy. With this update, the operator configures the necessary security context for the gitops-plugin Deployment so that it complies with the PodSecurity restricted policy.
    • GitOps Scarlet Sprint 15, GitOps Scarlet Sprint 16

      Description of Problem

      Seen in a openshift-gitops-operator.v1.16.0 install in an OCP 4.16.39 cluster:

      $ oc -n openshift-gitops describe replicaset gitops-plugin-566d965cc | tail -n2
        Warning  FailedCreate  8m36s               replicaset-controller  Error creating: pods "gitops-plugin-566d965cc-n8st2" is forbidden: violates PodSecurity "restricted:v1.29": allowPrivilegeEscalation != false (container "gitops-plugin" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "gitops-plugin" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "gitops-plugin" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "gitops-plugin" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
        Warning  FailedCreate  7m40s               replicaset-controller  Error creating: pods "gitops-plugin-566d965cc-qlw8m" is forbidden: violates PodSecurity "restricted:v1.29": allowPrivilegeEscalation != false (container "gitops-plugin" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "gitops-plugin" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "gitops-plugin" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "gitops-plugin" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
      

      The gitops-plugin Pods should set securityContext.allowPrivilegeEscalation=false and make the other changes recommended in those Events, so they can be created and run.

      Additional Info

      The Pod Security policy is enforcing since GITOPS-2683's gitops-operator#674 added namespace labels:

      $ oc get -o yaml namespace openshift-gitops | grep pod-security
          pod-security.kubernetes.io/audit: restricted
          pod-security.kubernetes.io/audit-version: latest
          pod-security.kubernetes.io/enforce: restricted
          pod-security.kubernetes.io/enforce-version: v1.29
          pod-security.kubernetes.io/warn: restricted
          pod-security.kubernetes.io/warn-version: latest
      

      The dev-branch PodSpec for the gitops-plugin Pods does not currently set the properties the policy bot is asking for.

      Problem Reproduction

      1. Create a 4.16.39 cluster
      2. Install openshift-gitops-operator.v1.16.0
      3. Check Events on the gitops-plugin-... ReplicaSet in the openshift-gitops namespace.

      Reproducibility

      I've seen this in a production cluster, but have not attempted to reproduce.

      Prerequisites/Environment

      Seen in an OSD cluster, but seems likely that the conditions would appear on customer-managed OCP as well.

      Steps to Reproduce

      Seems like this issue-template section overlaps with Problem Reproduction? Or I'm just misunderstanding the distinction it's hoping for?

      Expected Results

      Happy, running gitops-plugin-... Pods.

      Actual Results

      gitops-plugin-... Pod creation rejected on Pod Security violations.

      Problem Analysis

      • <Completed by engineering team as part of the triage/refinement process>

      Root Cause

      • <What is the root cause of the problem? Or, why is it not a bug?>

      Workaround (If Possible)

      • <Are there any workarounds we can provide to the customers?>

      Fix Approaches

      • <If we decide to fix this bug, how will we do it?>

      Acceptance Criteria

      • ...

      Definition of Done

      • Code Complete:
        • All code has been written, reviewed, and approved.
      • Tested:
        • Unit tests have been written and passed.
        • Ensure code coverage is not reduced with the changes.
        • Integration tests have been automated.
        • System tests have been conducted, and all critical bugs have been fixed.
        • Tested and merged on OpenShift either upstream or downstream on a local build.
      • Documentation:
        • User documentation or release notes have been written (if applicable).
      • Build:
        • Code has been successfully built and integrated into the main repository / project.
        • Midstream changes (if applicable) are done, reviewed, approved and merged.
      • Review:
        • Code has been peer-reviewed and meets coding standards.
        • All acceptance criteria defined in the user story have been met.
        • Tested by reviewer on OpenShift.
      • Deployment:
        • The feature has been deployed on OpenShift cluster for testing.

              cbanavik Chetan Banavikalmutt
              trking W. Trevor King
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: