Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-12222

LSO `examples/olm/catalog-create-subscribe.yaml` defines `openshift-local-storage` namespace with insufficient permissions

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • None
    • 4.14.0
    • Storage / Operators
    • None
    • Low
    • No
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Release Note Not Required

      Description of problem:

      LSO `HACKING.md` suggests the following command to install operatior:

      ~> oc create -f examples/olm/catalog-create-subscribe.yaml
 

      However, after this command CatalogSource is broken:

      $ oc describe catalogsource -n openshift-local-storage
...
Status:
  Message:  couldn't ensure registry server - error ensuring pod: : error creating new pod: localstorage-operator-manifests-: pods "localstorage-operator-manifests-ts4np" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "registry-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "registry-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "registry-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "registry-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  Reason:   RegistryServerError
 

      Version-Release number of selected component (if applicable):

       4.14.0

      How reproducible:

      always

      Steps to Reproduce:

      Apply `examples/olm/catalog-create-subscribe.yaml` as explained in `HACKING.md`, then describe `CatalogSource`:

      $ oc create -f examples/olm/catalog-create-subscribe.yaml
$ oc describe catalogsource -n openshift-local-storage
...
Status:
  Message:  couldn't ensure registry server - error ensuring pod: : error creating new pod: localstorage-operator-manifests-: pods "localstorage-operator-manifests-ts4np" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "registry-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "registry-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "registry-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "registry-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  Reason:   RegistryServerError

      Actual results:

      `oc describe catalogsource -n openshift-local-storage` reports error

      Expected results:

      `oc describe catalogsource -n openshift-local-storage` doesn't report errors

              rh-ee-mpatlaso Maxim Patlasov
              rh-ee-mpatlaso Maxim Patlasov
              Chao Yang Chao Yang
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: