-
Sub-task
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
4
-
False
-
-
False
-
ToDo
-
-
-
0
-
0.000
-
Very Likely
-
0
-
None
-
Unset
-
Unknown
Description of problem:
We found this issue during the interop testing, OCP 4.14 has pod Security mode set as enforce which caused the pod to be getting denied. This is caused due to the restore order, basically the pod is getting created before the SCC resource as this pod violates the podSecurity standard it denies the pod.
I have tested it with setting restore priority field on velero server, restore was successful.
$ oc get dpa -o yaml
configuration:
restic:
enable: true
velero:
args:
restore-resource-priorities: ServiceAccount,SecurityContextConstraints
defaultPlugins:
- gcp
- openshift
$ oc get restore -o yaml
spec:
backupName: test-restic
excludedResources:
- nodes
- events
- events.events.k8s.io
- backups.velero.io
- restores.velero.io
- resticrepositories.velero.io
- csinodes.storage.k8s.io
- volumeattachments.storage.k8s.io
status:
completionTimestamp: "2023-06-14T11:44:34Z"
phase: Completed
progress:
itemsRestored: 41
totalItems: 41
startTimestamp: "2023-06-14T11:43:59Z"
warnings: 5
Version-Release number of selected component (if applicable):
OCP 4.14
OADP 1.1.4
How reproducible:
Always
Steps to Reproduce:
1. Deploy an application which consist SCC resource.
$ oc create -f https://raw.githubusercontent.com/openshift/oadp-operator/master/tests/e2e/sample-applications/mysql-persistent/mysql-persistent.yaml
2. Execute backup with restic.
$ cat backup.yml apiVersion: velero.io/v1 kind: Backup metadata: name: test-restic labels: velero.io/storage-location: default namespace: openshift-adp spec: defaultVolumesToRestic: true includedNamespaces: - mysql-persistent storageLocation: ts-dpa-1
3. Delete app namespace
4. Execute Restore
Actual results:
Restore is partially failing.
\"level=error\" in line#2273: time=\"2023-06-12T06:50:04Z\" level=error msg=\"error restoring mysql-869f9f44f6-tp5lv: pods \\\"mysql-869f9f44f6-tp5lv\\\" is forbidden: violates PodSecurity \\\"restricted:v1.24\\\": privileged (container \\\"mysql\\\" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers \\\"restic-wait\\\", \\\"mysql\\\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers \\\"restic-wait\\\", \\\"mysql\\\" must set securityContext.capabilities.drop=[\\\"ALL\\\"]), seccompProfile (pod or containers \\\"restic-wait\\\", \\\"mysql\\\" must set securityContext.seccompProfile.type to \\\"RuntimeDefault\\\" or \\\"Localhost\\\")\" logSource=\"/remote-source/velero/app/pkg/restore/restore.go:1388\" restore=openshift-adp/todolist-backup-0780518c-08ed-11ee-805c-0a580a80e92c\n velero container contains \"level=error\" in line#2447: time=\"2023-06-12T06:50:05Z\" level=error msg=\"Namespace todolist-mariadb, resource restore error: error restoring pods/todolist-mariadb/mysql-869f9f44f6-tp5lv: pods \\\"mysql-869f9f44f6-tp5lv\\\" is forbidden: violates PodSecurity \\\"restricted:v1.24\\\": privileged (container \\\"mysql\\\" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers \\\"restic-wait\\\", \\\"mysql\\\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers \\\"restic-wait\\\", \\\"mysql\\\" must set securityContext.capabilities.drop=[\\\"ALL\\\"]), seccompProfile (pod or containers \\\"restic-wait\\\", \\\"mysql\\\" must set securityContext.seccompProfile.type to \\\"RuntimeDefault\\\" or \\\"Localhost\\\")\" logSource=\"/remote-source/velero/app/pkg/controller/restore_controller.go:510\" restore=openshift-adp/todolist-backup-0780518c-08ed-11ee-805c-0a580a80e92c\n]",
Expected results:
Restore should be successful.
Additional info:
slack thread:-
https://redhat-internal.slack.com/archives/C0144ECKUJ0/p1686741632153959
