Uploaded image for project: 'OpenShift API for Data Protection'
  1. OpenShift API for Data Protection
  2. OADP-2420

oadp-1.1.x Restic restore is partially failing due to Pod Security standard

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • QE - Ack
    • oadp-operator-bundle-container-1.1.6-13
    • ToDo
    • 0
    • 0
    • Very Likely
    • 0
    • None
    • Unset
    • Unknown
    • No

      Description of problem:

      We found this issue during the interop testing, OCP 4.14 has pod Security mode set as enforce which caused the pod to be getting denied. This is caused due to the restore order, basically the pod is getting created before the SCC resource as this pod violates the podSecurity standard it denies the pod.

      I have tested it with setting restore priority field on velero server, restore was successful. 

      $ oc get dpa -o yaml
         configuration:
            restic:
              enable: true
            velero:
              args:
                restore-resource-priorities: ServiceAccount,SecurityContextConstraints
              defaultPlugins:
              - gcp
              - openshift
      
      $ oc get restore -o yaml
      spec:
        backupName: test-restic
        excludedResources:
        - nodes
        - events
        - events.events.k8s.io
        - backups.velero.io
        - restores.velero.io
        - resticrepositories.velero.io
        - csinodes.storage.k8s.io
        - volumeattachments.storage.k8s.io
      status:
        completionTimestamp: "2023-06-14T11:44:34Z"
        phase: Completed
        progress:
          itemsRestored: 41
          totalItems: 41
        startTimestamp: "2023-06-14T11:43:59Z"
        warnings: 5 

      Version-Release number of selected component (if applicable):
      OCP 4.14 
      OADP 1.1.4 

       

      How reproducible:
      Always

      Steps to Reproduce:
      1. Deploy an application which consist SCC resource.

      $ oc create -f https://raw.githubusercontent.com/openshift/oadp-operator/master/tests/e2e/sample-applications/mysql-persistent/mysql-persistent.yaml

      2. Execute backup with restic.

      $ cat backup.yml 
      apiVersion: velero.io/v1
      kind: Backup
      metadata:
        name: test-restic
        labels:
          velero.io/storage-location: default
        namespace: openshift-adp
      spec:
        defaultVolumesToRestic: true
        includedNamespaces:
        - mysql-persistent
        storageLocation: ts-dpa-1

      3. Delete app namespace
      4. Execute Restore

       

      Actual results:

      Restore is partially failing.

       

      \"level=error\" in line#2273: time=\"2023-06-12T06:50:04Z\" level=error msg=\"error restoring mysql-869f9f44f6-tp5lv: pods \\\"mysql-869f9f44f6-tp5lv\\\" is forbidden: violates PodSecurity \\\"restricted:v1.24\\\": privileged (container \\\"mysql\\\" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers \\\"restic-wait\\\", \\\"mysql\\\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers \\\"restic-wait\\\", \\\"mysql\\\" must set securityContext.capabilities.drop=[\\\"ALL\\\"]), seccompProfile (pod or containers \\\"restic-wait\\\", \\\"mysql\\\" must set securityContext.seccompProfile.type to \\\"RuntimeDefault\\\" or \\\"Localhost\\\")\" logSource=\"/remote-source/velero/app/pkg/restore/restore.go:1388\" restore=openshift-adp/todolist-backup-0780518c-08ed-11ee-805c-0a580a80e92c\n velero container contains \"level=error\" in line#2447: time=\"2023-06-12T06:50:05Z\" level=error msg=\"Namespace todolist-mariadb, resource restore error: error restoring pods/todolist-mariadb/mysql-869f9f44f6-tp5lv: pods \\\"mysql-869f9f44f6-tp5lv\\\" is forbidden: violates PodSecurity \\\"restricted:v1.24\\\": privileged (container \\\"mysql\\\" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers \\\"restic-wait\\\", \\\"mysql\\\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers \\\"restic-wait\\\", \\\"mysql\\\" must set securityContext.capabilities.drop=[\\\"ALL\\\"]), seccompProfile (pod or containers \\\"restic-wait\\\", \\\"mysql\\\" must set securityContext.seccompProfile.type to \\\"RuntimeDefault\\\" or \\\"Localhost\\\")\" logSource=\"/remote-source/velero/app/pkg/controller/restore_controller.go:510\" restore=openshift-adp/todolist-backup-0780518c-08ed-11ee-805c-0a580a80e92c\n]", 

      Expected results: 
      Restore should be successful.

       

      Additional info:
      slack thread:-
      https://redhat-internal.slack.com/archives/C0144ECKUJ0/p1686741632153959

        There are no Sub-Tasks for this issue.

            spampatt@redhat.com Shubham Pampattiwar
            rhn-support-prajoshi Prasad Joshi
            Prasad Joshi Prasad Joshi
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: