Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-29847

Pod security of openshift-marketplace namespace is too restrictive (should be "baseline")

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • 4.16.0
    • 4.15.z, 4.16
    • MicroShift
    • None
    • No
    • 2
    • uShift Sprint 250
    • 1
    • False
    • Hide

      None

      Show
      None
    • Hide
      *Cause*: Always.
      *Consequence*: Some catalogs couldn't be deployed to openshift-marketplace if they didn't specify securityContextConfig in their spec. One of the example is spec produced by oc-mirror.
      *Fix*: Changed security of openshift-marketplace namespace from "restricted" to "baseline"
      *Result*: CatalogSource produced by oc-mirror can be deployed without changes to the spec or the namespace. Now the setting matches OpenShift's.
      Show
      *Cause*: Always. *Consequence*: Some catalogs couldn't be deployed to openshift-marketplace if they didn't specify securityContextConfig in their spec. One of the example is spec produced by oc-mirror. *Fix*: Changed security of openshift-marketplace namespace from "restricted" to "baseline" *Result*: CatalogSource produced by oc-mirror can be deployed without changes to the spec or the namespace. Now the setting matches OpenShift's.
    • Bug Fix
    • In Progress

      Description of problem:

      microshift-olm RPM ship openshift-marketplace namespace with "restricted" security which is different from OpenShift's setting.
Result is that CatalogSource created by oc-mirror won't work as is: either namespace's security needs to be changed to "baseline" or "privileged", or CatalogSource needs to be edited to include following:

spec:
  grpcPodConfig:
    securityContextConfig: restricted

MicroShift: https://github.com/openshift/microshift/blob/main/assets/optional/operator-lifecycle-manager/0000_50_olm_00-namespace.yaml#L39

OpenShift: https://github.com/operator-framework/operator-marketplace/blob/master/manifests/01_namespace.yaml#L13

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

      1. Mirror catalog/operators using oc-mirror
2. Apply generated CatalogSource

      Actual results:

      Pod for Catalog is not created because of the security (it can be observed in CatalogSource's status).

      Expected results:

      Catalog's Pod runs

      Additional info:

      Gdoc draft of OLM's offline/disconnected: https://docs.google.com/document/d/1H7no37mFLLlSo4HVa2zKgWiPLD-j1EarajlHMmGXUds/edit

            pmatusza@redhat.com Patryk Matuszak
            pmatusza@redhat.com Patryk Matuszak
            Douglas Hensel Douglas Hensel
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: