Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-29729

OLM - Set default CatalogSource pod SecurityContext as `restricted`

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • None
    • 4.15
    • OLM
    • Important
    • No
    • Phlogiston 250, Quality OLM Sprint 251, Rasputin OLM Sprint 252, Sassy OLM Sprint 253, Toasty OLM Sprint 254, Veritas OLM Sprint 256
    • 6
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, if the `spec.grpcPodConfig.securityContextConfig` field in `CatalogSource` objects was unset within namespaces with a `PodSecurityAdmission` (PSA) level value of `restricted`, the catalog pod would not pass PSA validation. With this release, the OLM Catalog Operator now configures the catalog pod with the `securityContexts` necessary to pass PSA validation. (link:https://issues.redhat.com/browse/OCPBUGS-29729[*OCPBUGS-29729*])
      Show
      * Previously, if the `spec.grpcPodConfig.securityContextConfig` field in `CatalogSource` objects was unset within namespaces with a `PodSecurityAdmission` (PSA) level value of `restricted`, the catalog pod would not pass PSA validation. With this release, the OLM Catalog Operator now configures the catalog pod with the `securityContexts` necessary to pass PSA validation. (link: https://issues.redhat.com/browse/OCPBUGS-29729 [* OCPBUGS-29729 *])
    • Bug Fix
    • In Progress

      Description of problem:

      With the introduction of the Pod Security Adminssion, the recommended best practice is to enforce the `restricted` policy of admission.

However, if the user creates the CatalogSource in the namespace running with `restricted` policy, the CatalogSource Pod fails to be created.

This is because when the `.spec.grpcPodConfig.securityContextConfig` is NOT SET in the CatalogSource, OLM treats the value's default as "legacy", which means that the Catalog Pod does NOT set the `restricted` securityContext, meaning that a Catalog pod will fail to run.

      Version-Release number of selected component (if applicable):

      4.15

      How reproducible:

      100%

      Steps to Reproduce:

      1. On a OCP 4.15 cluster, create a custom CatalogSource object without `.spec.grpcPodConfig.securityContextConfig` being specified

2. See if the CatalogSource Pod started successfully without errors.

      Actual results:

      1. the CatalogSource Pod fails to be created with the error like:
      status:
  message: >-
    couldn't ensure registry server - error ensuring pod: : error creating new
    pod: foobar-: pods "foobar-6ttkb" is forbidden:
    violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false
    (container "registry-server" must set
    securityContext.allowPrivilegeEscalation=false), unrestricted capabilities
    (container "registry-server" must set
    securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or
    container "registry-server" must set securityContext.runAsNonRoot=true),
    seccompProfile (pod or container "registry-server" must set
    securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  reason: RegistryServerError

      Expected results:

      The CatalogSource Pod started successfully by default without specifying `.spec.grpcPodConfig.securityContextConfig` as `restricted`

      Additional info:

              pegoncal@redhat.com Per Goncalves da Silva
              rhn-coreos-tunwu Tony Wu
              Jian Zhang Jian Zhang
              Alex Dellapenta Alex Dellapenta
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: