Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-30034

[release-4.15] Pod security of openshift-marketplace namespace is too restrictive (should be "baseline")

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • 4.15.z
    • 4.15.z, 4.16
    • MicroShift
    • None
    • No
    • 2
    • uShift Sprint 250
    • 1
    • False
    • Hide

      None

      Show
      None
    • Hide
      With this release, the `openshift-marketplace` pod security admission definition defaults to `baseline`. See the OLM documentation for specifics on how this change impacts your operator deployments. See xref:../microshift_running_apps/microshift-operators-olm.adoc#microshift-operators-olm[Using Operator Lifecycle Manager with {microshift-short}].
      Show
      With this release, the `openshift-marketplace` pod security admission definition defaults to `baseline`. See the OLM documentation for specifics on how this change impacts your operator deployments. See xref:../microshift_running_apps/microshift-operators-olm.adoc#microshift-operators-olm[Using Operator Lifecycle Manager with {microshift-short}].
    • Enhancement
    • In Progress

      This is a clone of issue OCPBUGS-29847. The following is the description of the original issue:

      Description of problem:

      microshift-olm RPM ship openshift-marketplace namespace with "restricted" security which is different from OpenShift's setting.
Result is that CatalogSource created by oc-mirror won't work as is: either namespace's security needs to be changed to "baseline" or "privileged", or CatalogSource needs to be edited to include following:

spec:
  grpcPodConfig:
    securityContextConfig: restricted

MicroShift: https://github.com/openshift/microshift/blob/main/assets/optional/operator-lifecycle-manager/0000_50_olm_00-namespace.yaml#L39

OpenShift: https://github.com/operator-framework/operator-marketplace/blob/master/manifests/01_namespace.yaml#L13

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

      1. Mirror catalog/operators using oc-mirror
2. Apply generated CatalogSource

      Actual results:

      Pod for Catalog is not created because of the security (it can be observed in CatalogSource's status).

      Expected results:

      Catalog's Pod runs

      Additional info:

      Gdoc draft of OLM's offline/disconnected: https://docs.google.com/document/d/1H7no37mFLLlSo4HVa2zKgWiPLD-j1EarajlHMmGXUds/edit

            pmatusza@redhat.com Patryk Matuszak
            openshift-crt-jira-prow OpenShift Prow Bot
            Douglas Hensel Douglas Hensel
            Ashwini Raviprakash Ashwini Raviprakash
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: