-
Bug
-
Resolution: Won't Do
-
Normal
-
None
-
4.15
-
Moderate
-
No
-
False
-
Description of problem:
I am using microshift.x86_64 (4.15.0~rc.3-202401192017.p0.g0bc5f95.assembly.rc.3.el9) with microshift-olm.x86_64 (4.15.0~rc.3-202401192017.p0.g0bc5f95.assembly.rc.3.el9 )
I know we want customers build there own custom catalogs for microshift.Still, I felt adventurous today and tried to add the community catalog from operatorhub.io by adding this catalog source to
kind: CatalogSource apiVersion: operators.coreos.com/v1alpha1 metadata: name: operatorhubio-catalog namespace: openshift-operator-lifecycle-manager spec: sourceType: grpc image: quay.io/operatorhubio/catalog:latest displayName: Community Operators publisher: OperatorHub.io
But that does not work out. The catalog operator fails to start the pod. Inside the catalog operator pod I see:
E0123 13:53:13.083761 1 queueinformer_operator.go:319] sync {"update" "openshift-operator-lifecycle-manager/operatorhubio-catalog"} failed: couldn't ensure registry server - error ensuring pod: : error creating new pod: operatorhubio-catalog-: pods "operatorhubio-catalog-4mmsf" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "registry-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "registry-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "registry-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "registry-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Thats’s a typical pod security admission (PSA) problem.
MicroShift is already in ‘enforcing’ mode, while OpenShift is only ‘reporting’.
So this will turn into a problem with OpenShift once OpenShift switches to enforcing, too.
