Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-13584

Scorecard failed because of the request of PodSecurity

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 4.13.0
    • 4.12.0
    • Operator SDK
    • Critical
    • OSDK 232, OPECO 233
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • NA
    • Release Note Not Required

    Description

      Description of problem:

      operator sdk scorecard test failed because of the request of PodSecurity

      Version-Release number of selected component (if applicable):

      operator-sdk version: "v1.22.0-ocp", commit: "9a16a5cb237880ee540f89d7768d93a3e4e1635e", kubernetes version: "v1.24.1", go version: "go1.18.1", GOOS: "linux", GOARCH: "amd64"

cluster version: 4.12.0-0.nightly-2022-09-07-112008

      How reproducible:

      always

      Steps to Reproduce:

      1.generate one operator and bundle
2.operator-sdk init --plugins=ansible --domain example.com
3.operator-sdk create api --group cache --version v1alpha1 --kind Memcached --generate-role
4.make bundle
5.scorecard test the operator bundle
operator-sdk scorecard ./bundle -c ./bundle/tests/scorecard/config.yaml -w 60s --selector=test=olm-bundle-validation-test

      Actual results:

      operator-sdk scorecard ./bundle -c ./bundle/tests/scorecard/config.yaml -w 60s --selector=test=olm-bundle-validation-test
--------------------------------------------------------------------------------
Image:      quay.io/operator-framework/scorecard-test:v1.20.0
Entrypoint: [scorecard-test olm-bundle-validation]
Labels:
    "suite":"olm"
    "test":"olm-bundle-validation-test"
Results:
    State: fail
    Errors:
        pods "scorecard-test-pgqs" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "scorecard-untar", "scorecard-test" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "scorecard-untar", "scorecard-test" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "scorecard-untar", "scorecard-test" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "scorecard-untar", "scorecard-test" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      Expected results:

      operator-sdk scorecard ./bundle -c ./bundle/tests/scorecard/config.yaml -w 60s --selector=test=olm-bundle-validation-test
--------------------------------------------------------------------------------
Image:      quay.io/operator-framework/scorecard-test:v1.20.0
Entrypoint: [scorecard-test olm-bundle-validation]
Labels:
    "suite":"olm"
    "test":"olm-bundle-validation-test"
Results:
    State: Success

      Additional info:

       

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-1665 Scorecard failed because of the request of PodSecurity

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          depends on

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-10578 Scorecard failed because of the request of PodSecurity

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          links to

          GitHub openshift/ocp-release-operator-sdk#311: OCPBUGS-1665: [release-4.13] Merge upstream tag v1.28.0 to release-4.13

          GitHub openshift/ocp-release-operator-sdk#312: OCPBUGS-1665: [release-4.13] Merge upstream tag v1.28.0 to release-4.13

          Activity

            People

              rh-ee-bpalmer Bryce Palmer
              rhn-support-jfan Jia Fan
              Keenon Lee Keenon Lee
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: