Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-29729

OLM - Set default CatalogSource pod SecurityContext as `restricted`

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • 4.15
    • OLM
    • No
    • Phlogiston 250, Quality OLM Sprint 251, Rasputin OLM Sprint 252, Sassy OLM Sprint 253
    • 4
    • Rejected
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      With the introduction of the Pod Security Adminssion, the recommended best practice is to enforce the `restricted` policy of admission.

However, if the user creates the CatalogSource in the namespace running with `restricted` policy, the CatalogSource Pod fails to be created.

This is because when the `.spec.grpcPodConfig.securityContextConfig` is NOT SET in the CatalogSource, OLM treats the value's default as "legacy", which means that the Catalog Pod does NOT set the `restricted` securityContext, meaning that a Catalog pod will fail to run.

      Version-Release number of selected component (if applicable):

      4.15

      How reproducible:

      100%

      Steps to Reproduce:

      1. On a OCP 4.15 cluster, create a custom CatalogSource object without `.spec.grpcPodConfig.securityContextConfig` being specified

2. See if the CatalogSource Pod started successfully without errors.

      Actual results:

      1. the CatalogSource Pod fails to be created with the error like:
      status:
  message: >-
    couldn't ensure registry server - error ensuring pod: : error creating new
    pod: foobar-: pods "foobar-6ttkb" is forbidden:
    violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false
    (container "registry-server" must set
    securityContext.allowPrivilegeEscalation=false), unrestricted capabilities
    (container "registry-server" must set
    securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or
    container "registry-server" must set securityContext.runAsNonRoot=true),
    seccompProfile (pod or container "registry-server" must set
    securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  reason: RegistryServerError

      Expected results:

      The CatalogSource Pod started successfully by default without specifying `.spec.grpcPodConfig.securityContextConfig` as `restricted`

      Additional info:

      Attachments

        Issue Links

          is related to

          Feature Request - Feature requests from customers and/or users RFE-5122 Update OLM to set default CatalogSource pod SecurityContext based on Namespace PSA Labels

          • Critical - To be worked on immediately following BLOCKER issues.
          • Backlog

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-5473 [4.13] Default CatalogSource aren't created in restricted mode

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          links to

          Web Link https://github.com/operator-framework/operator-lifecycle-manager/pull/3206

          Activity

            People

              pegoncal@redhat.com Per Goncalves da Silva
              rhn-coreos-tunwu Tony Wu
              Jian Zhang Jian Zhang
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated: