Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-24518

Operator isn't compatible with new security standards in upcoming OCP

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • OP-2.4.0.GA
    • OP-2.3.4.GA
    • Operator
    • None
    • False
    • None
    • False
    • Hide

      There might be more workarounds but one of them is to set some labels on the namespace where the operator will be installed

      oc label ns msimka-namespace security.openshift.io/scc.podSecurityLabelSync=false --overwrite 
oc label ns msimka-namespace pod-security.kubernetes.io/enforce=privileged --overwrite 
oc label ns msimka-namespace pod-security.kubernetes.io/audit=privileged --overwrite 
oc label ns msimka-namespace pod-security.kubernetes.io/warn=privileged --overwrite

      (I'm not sure if all of these labels are required, I'm not going to dig into it now)

      Show
      There might be more workarounds but one of them is to set some labels on the namespace where the operator will be installed oc label ns msimka-namespace security.openshift.io/scc.podSecurityLabelSync= false --overwrite oc label ns msimka-namespace pod-security.kubernetes.io/enforce=privileged --overwrite oc label ns msimka-namespace pod-security.kubernetes.io/audit=privileged --overwrite oc label ns msimka-namespace pod-security.kubernetes.io/warn=privileged --overwrite (I'm not sure if all of these labels are required, I'm not going to dig into it now)

    Description

      With OCP 4.11 and 4.12 we have been seeing warning like

      Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "wildfly-operator" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "wildfly-operator" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "wildfly-operator" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "wildfly-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      With 4.13, (nightly builds) OpenShift started to enforce new standards and EAP operator fails to deploy. Both released 2.3 and not yet released 2.4 versions are affected.

      Error:

      E0201 14:02:59.946423       1 queueinformer_operator.go:298] sync {"update" "msimka-namespace/eap-operator"} failed: couldn't ensure registry server - error ensuring pod: : error creating new pod: eap-operator-: pods "eap-operator-b2t2n" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "configmap-registry-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "configmap-registry-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "configmap-registry-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "configmap-registry-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      which can be found in OLM log

      oc logs pod/catalog-operator-9d959f49d-2q8ml -n openshift-operator-lifecycle-manager

      It was slightly discussed on GH issue

      My understanding is the warning comes due to the standard pod security policies managed by the cluster or namespace where you are installing the Operator. We have to address them by defining the SecurityContext on the Deployment resource that deploys the Operator, we have to think about how we should do it and whether it will need to be dynamic or exposed to the user. I'm not sure yet.

      With this PR the user will be able to configure the SecurityContext of the pods generated by the StatefulSet, so it will help the users to adapt the Operator workload to the current cluster policy if they need it.

      Some resources:

      Attachments

        Issue Links

          is caused by

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. AUTH-262 Pod Security Admission Integration - Restricted Enforcement

          • Critical - To be worked on immediately following BLOCKER issues.
          • In Progress
          is incorporated by

          Release - A container task to coordinate the tasks for a given release. JBEAP-24635 EAP Operator 2.4.0 release

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-24968 Operator was not installed on OCP 4.14 due to the new pod security standards

          • Critical - To be worked on immediately following BLOCKER issues.
          • New

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-8710 [4.13] don't enforce PSa in 4.13

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              jmesnil1@redhat.com Jeff Mesnil
              msimka@redhat.com Martin Simka
              Emmanuel Ameh Emmanuel Ameh
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: