Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-3166

assisted-installer: pod creation fails due to violations of security policies in 4.12

XMLWordPrintable

    • None
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      I1102 14:25:27.816713       1 job_controller.go:1507] Failed creation, decrementing expectations for job "assisted-installer"/"assisted-installer-controller"
      E1102 14:25:27.816729       1 job_controller.go:1512] pods "assisted-installer-controller-vmmw7" is forbidden: violates PodSecurity "restricted:v1.24": host namespaces (hostNetwork=true), allowPrivilegeEscalation != false (container "assisted-installer-controller" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "assisted-installer-controller" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "service-ca-cert-config" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "assisted-installer-controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "assisted-installer-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
      E1102 14:25:27.816750       1 job_controller.go:545] syncing job: pods "assisted-installer-controller-vmmw7" is forbidden: violates PodSecurity "restricted:v1.24": host namespaces (hostNetwork=true), allowPrivilegeEscalation != false (container "assisted-installer-controller" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "assisted-installer-controller" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "service-ca-cert-config" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "assisted-installer-controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "assisted-installer-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
      I1102 14:25:27.816806       1 event.go:294] "Event occurred" object="assisted-installer/assisted-installer-controller" fieldPath="" kind="Job" apiVersion="batch/v1" type="Warning" reason="FailedCreate" message="Error creating: pods \"assisted-installer-controller-vmmw7\" is forbidden: violates PodSecurity \"restricted:v1.24\": host namespaces (hostNetwork=true), allowPrivilegeEscalation != false (container \"assisted-installer-controller\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"assisted-installer-controller\" must set securityContext.capabilities.drop=[\"ALL\"]), restricted volume types (volume \"service-ca-cert-config\" uses restricted volume type \"hostPath\"), runAsNonRoot != true (pod or container \"assisted-installer-controller\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"assisted-installer-controller\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
      

      Version-Release number of selected component (if applicable):

      
      

      How reproducible:

      Always
      
      

      Steps to Reproduce:

      1. Run the assisted installer ([~jacding@redhat.com] for more detailed description)
      
      

      Actual results:

      assisted-installer-controller job pod fails to be created due to PodSecurity violations
      
      

      Expected results:

      assisted-installer-controller job pod is created
      
      

      Additional info:

      Forked from https://issues.redhat.com/browse/OCPBUGS-2311
      
      Either set the proper securityContext in the job manifest or label the `assisted-installer` ns as privileged.
      

            itsoiref@redhat.com Igal Tsoiref
            jchaloup@redhat.com Jan Chaloupka
            Yuri Obshansky Yuri Obshansky
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: