-
Bug
-
Resolution: Done
-
Normal
-
None
-
4.12
-
None
-
Moderate
-
None
-
Rejected
-
False
-
Description of problem:
pod creation failed with 4.12 ec4 build
Version-Release number of selected component (if applicable):
Operating System: Red Hat Enterprise Linux CoreOS 412.86.202210042057-0 (Ootpa)
How reproducible:
Try scheduling a mentioned pod in 4.12 ec4 build in ocp cluster
Steps to Reproduce:
1. Refer this document https://docs.openshift.com/container-platform/4.11/networking/using-sctp.html#nw-sctp-verifying_using-sctp 2. Load the load-sctp-module.yaml 3. Create the pod with sctp-server.yaml
Actual results:
[root@bastion sctp]# oc create -f sctp-server.yaml Error from server (Forbidden): error when creating "sctp-server.yaml": pods "sctpserver" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "sctpserver" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sctpserver" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sctpserver" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "sctpserver" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Expected results:
pod should create successfully
Additional info:
Note: FYI Tried doing the same in 4.11 build it was successful with same warning [root@api.testocp.cp.fyre.ibm.com chidu]# oc create -f sctp-server.yaml Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "sctpserver" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sctpserver" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sctpserver" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "sctpserver" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") pod/sctpserver created
- relates to
-
AUTH-262 Pod Security Admission Integration - Restricted Enforcement
- In Progress