Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-1666

'run bundle'failed because of the request of PodSecurity

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 4.12.0
    • 4.12.0
    • Operator SDK
    • None
    • Critical
    • None
    • OSDK Sprint 225, OSDK Sprint 226
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      operator sdk run bundle test failed because of the request of PodSecurity

      Version-Release number of selected component (if applicable):

      operator-sdk version: "v1.22.1", commit: "46ab175459a775d2fb9f0454d0b4a8850dd745ed", kubernetes version: "v1.24.1", go version: "go1.18.3", GOOS: "darwin", GOARCH: "arm64" 
Client Version: 4.11.0-0.nightly-2022-07-28-162203Kustomize 
Version: v4.5.4
Server Version: 4.12.0-0.nightly-2022-08-30-142847Kubernetes 
Version: v1.24.0+a097e26

      How reproducible:

      always

      Steps to Reproduce:

      jitli@RedHat:~/work/src/github/openshift-tests-private$ oc new-project 
      jitlijitli@RedHat:~/work/src/test/operator/memcached-operator-31219$ operator-sdk run bundle quay.io/olmqe/upgradeindex-bundle:v0.1 --index-image quay.io/olmqe/largefbcindexwithupgradefbc:v4.11 --timeout 5m -n jitli
INFO[0021] Creating a File-Based Catalog of the bundle "quay.io/olmqe/upgradeindex-bundle:v0.1" 
INFO[0027] Rendering a File-Based Catalog of the Index Image "quay.io/olmqe/largefbcindexwithupgradefbc:v4.11" to verify if bundle "upgradeindex.v0.0.1" is present 
INFO[0048] Generated the extra FBC for the bundle image "upgradeindex.v0.0.1" 
INFO[0048] Generated a valid File-Based Catalog         
FATA[0051] Failed to run bundle: create catalog: error creating registry pod: error creating pod: pods "quay-io-olmqe-upgradeindex-bundle-v0-1" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "registry-grpc" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "registry-grpc" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "registry-grpc" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "registry-grpc" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

       

      jitli@RedHat:~/work/src/test/operator$ oc project default
Now using project "default" on server "https://api.qe-daily1-412-0914.qe.azure.devcluster.openshift.com:6443".
      jitli@RedHat:~/work/src/test/operator$ operator-sdk run bundle quay.io/olmqe/upgradeindex-bundle:v0.1 --index-image quay.io/olmqe/largefbcindexwithupgradefbc:v4.11 --timeout 5m
INFO[0037] Creating a File-Based Catalog of the bundle "quay.io/olmqe/upgradeindex-bundle:v0.1" 
INFO[0044] Rendering a File-Based Catalog of the Index Image "quay.io/olmqe/largefbcindexwithupgradefbc:v4.11" to verify if bundle "upgradeindex.v0.0.1" is present 
INFO[0066] Generated the extra FBC for the bundle image "upgradeindex.v0.0.1" 
INFO[0066] Generated a valid File-Based Catalog         
FATA[0068] Failed to run bundle: create catalog: error creating registry pod: error creating pod: pods "quay-io-olmqe-upgradeindex-bundle-v0-1" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "registry-grpc" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "registry-grpc" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "registry-grpc" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "registry-grpc" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"

      Actual results:

      INFO[0037] Creating a File-Based Catalog of the bundle "quay.io/olmqe/upgradeindex-bundle:v0.1"  INFO[0044] Rendering a File-Based Catalog of the Index Image "quay.io/olmqe/largefbcindexwithupgradefbc:v4.11" to verify if bundle "upgradeindex.v0.0.1" is present  INFO[0066] Generated the extra FBC for the bundle image "upgradeindex.v0.0.1"  INFO[0066] Generated a valid File-Based Catalog          FATA[0068] Failed to run bundle: create catalog: error creating registry pod: error creating pod: pods "quay-io-olmqe-upgradeindex-bundle-v0-1" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "registry-grpc" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "registry-grpc" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "registry-grpc" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "registry-grpc" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") 

      Expected results:

      OLM has successfully installed

      Additional info:

       

              rhn-engineering-jesusr Jesus Rodriguez (Inactive)
              rhn-support-jitli Keenon Lee
              Keenon Lee Keenon Lee
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: