-
Bug
-
Resolution: Done
-
Normal
-
1.16.0
-
3
-
False
-
-
False
-
-
-
-
GitOps Scarlet Sprint 15, GitOps Scarlet Sprint 16
Description of Problem
Seen in a openshift-gitops-operator.v1.16.0 install in an OCP 4.16.39 cluster:
$ oc -n openshift-gitops describe replicaset gitops-plugin-566d965cc | tail -n2 Warning FailedCreate 8m36s replicaset-controller Error creating: pods "gitops-plugin-566d965cc-n8st2" is forbidden: violates PodSecurity "restricted:v1.29": allowPrivilegeEscalation != false (container "gitops-plugin" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "gitops-plugin" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "gitops-plugin" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "gitops-plugin" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Warning FailedCreate 7m40s replicaset-controller Error creating: pods "gitops-plugin-566d965cc-qlw8m" is forbidden: violates PodSecurity "restricted:v1.29": allowPrivilegeEscalation != false (container "gitops-plugin" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "gitops-plugin" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "gitops-plugin" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "gitops-plugin" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
The gitops-plugin Pods should set securityContext.allowPrivilegeEscalation=false and make the other changes recommended in those Events, so they can be created and run.
Additional Info
The Pod Security policy is enforcing since GITOPS-2683's gitops-operator#674 added namespace labels:
$ oc get -o yaml namespace openshift-gitops | grep pod-security pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/audit-version: latest pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: v1.29 pod-security.kubernetes.io/warn: restricted pod-security.kubernetes.io/warn-version: latest
The dev-branch PodSpec for the gitops-plugin Pods does not currently set the properties the policy bot is asking for.
Problem Reproduction
- Create a 4.16.39 cluster
- Install openshift-gitops-operator.v1.16.0
- Check Events on the gitops-plugin-... ReplicaSet in the openshift-gitops namespace.
Reproducibility
I've seen this in a production cluster, but have not attempted to reproduce.
Prerequisites/Environment
Seen in an OSD cluster, but seems likely that the conditions would appear on customer-managed OCP as well.
Steps to Reproduce
Seems like this issue-template section overlaps with Problem Reproduction? Or I'm just misunderstanding the distinction it's hoping for?
Expected Results
Happy, running gitops-plugin-... Pods.
Actual Results
gitops-plugin-... Pod creation rejected on Pod Security violations.
Problem Analysis
- <Completed by engineering team as part of the triage/refinement process>
Root Cause
- <What is the root cause of the problem? Or, why is it not a bug?>
Workaround (If Possible)
- <Are there any workarounds we can provide to the customers?>
Fix Approaches
- <If we decide to fix this bug, how will we do it?>
Acceptance Criteria
- ...
Definition of Done
- Code Complete:
- All code has been written, reviewed, and approved.
- Tested:
- Unit tests have been written and passed.
- Ensure code coverage is not reduced with the changes.
- Integration tests have been automated.
- System tests have been conducted, and all critical bugs have been fixed.
- Tested and merged on OpenShift either upstream or downstream on a local build.
- Documentation:
- User documentation or release notes have been written (if applicable).
- Build:
- Code has been successfully built and integrated into the main repository / project.
- Midstream changes (if applicable) are done, reviewed, approved and merged.
- Review:
- Code has been peer-reviewed and meets coding standards.
- All acceptance criteria defined in the user story have been met.
- Tested by reviewer on OpenShift.
- Deployment:
- The feature has been deployed on OpenShift cluster for testing.