Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-29847

Pod security of openshift-marketplace namespace is too restrictive (should be "baseline")

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • 4.16.0
    • 4.15.z, 4.16
    • MicroShift
    • None
    • No
    • 2
    • uShift Sprint 250
    • 1
    • False
    • Hide

      None

      Show
      None
    • Release Note Not Required

      Description of problem:

      microshift-olm RPM ship openshift-marketplace namespace with "restricted" security which is different from OpenShift's setting.
      Result is that CatalogSource created by oc-mirror won't work as is: either namespace's security needs to be changed to "baseline" or "privileged", or CatalogSource needs to be edited to include following:
      
      spec:
        grpcPodConfig:
          securityContextConfig: restricted
      
      MicroShift: https://github.com/openshift/microshift/blob/main/assets/optional/operator-lifecycle-manager/0000_50_olm_00-namespace.yaml#L39
      
      OpenShift: https://github.com/operator-framework/operator-marketplace/blob/master/manifests/01_namespace.yaml#L13
          

      Version-Release number of selected component (if applicable):

          

      How reproducible:

          

      Steps to Reproduce:

      1. Mirror catalog/operators using oc-mirror
      2. Apply generated CatalogSource
      

      Actual results:

      Pod for Catalog is not created because of the security (it can be observed in CatalogSource's status).

      Expected results:

      Catalog's Pod runs

      Additional info:

      Gdoc draft of OLM's offline/disconnected: https://docs.google.com/document/d/1H7no37mFLLlSo4HVa2zKgWiPLD-j1EarajlHMmGXUds/edit
          

              pmatusza@redhat.com Patryk Matuszak
              pmatusza@redhat.com Patryk Matuszak
              Douglas Hensel Douglas Hensel
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: