Normal Description
Description of problem:
Using hive to deployment a cluster, beacuse of the PodSecurity change ,cluster install failed .
Version-Release number of selected component (if applicable):
quay.io/openshift-release-dev/ocp-release:4.12.0-ec.2-x86_64
How reproducible:
Always
Steps to Reproduce:
1.Use hiveutil to create cluster.
$bin/hiveutil create-cluster --base-domain=qe.devcluster.openshift.com --region us-east-2 --cloud=aws --release-image quay.io/openshift-release-dev/ocp-release:4.12.0-ec.2-x86_64 mihuang-cluster -o yaml > a.yaml $oc apply -f a.yaml
Actual results:
$ oc get cd NAME INFRAID PLATFORM REGION VERSION CLUSTERTYPE PROVISIONSTATUS POWERSTATE AGE mihuang-cluster aws us-east-2 Initialized 46m $ oc get cd mihuang-cluster -o json "status": { "conditions": [ { "lastProbeTime": "2022-09-08T09:38:54Z", "lastTransitionTime": "2022-09-08T09:38:54Z", "message": "The job default/mihuang-cluster-imageset to resolve the image failed because of (DeadlineExceeded) Job was active longer than specified deadline", "reason": "JobToResolveImagesFailed", "status": "True", "type": "InstallImagesNotResolved" },
Error message:
36s Warning FailedCreate job/mihuang-cluster-imageset Error creating: pods "mihuang-cluster-imageset-qzvm4" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "release", "hiveutil" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "release", "hiveutil" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "release", "hiveutil" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "release", "hiveutil" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Expected results:
install succeed
