Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-34979

[release-4.16] OLM - Set default CatalogSource pod SecurityContext as `restricted`

XMLWordPrintable

    • Important
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, if `spec.grpcPodConfig.securityContextConfig` was not set for CatalogSource objects in namespaces with the PodSecurityAdmission "restricted" level enforced, the default securityContext was set as `restricted`. With this release, the OLM catalog operator configures the catalog pod with the securityContexts necessary to pass PSA validation and the issue has been resolved. (link:https://issues.redhat.com/browse/OCPBUGS-34979[*OCPBUGS-34979*])
      Show
      * Previously, if `spec.grpcPodConfig.securityContextConfig` was not set for CatalogSource objects in namespaces with the PodSecurityAdmission "restricted" level enforced, the default securityContext was set as `restricted`. With this release, the OLM catalog operator configures the catalog pod with the securityContexts necessary to pass PSA validation and the issue has been resolved. (link: https://issues.redhat.com/browse/OCPBUGS-34979 [* OCPBUGS-34979 *])

      Description of problem:

      With the introduction of the Pod Security Adminssion, the recommended best practice is to enforce the `restricted` policy of admission.

However, if the user creates the CatalogSource in the namespace running with `restricted` policy, the CatalogSource Pod fails to be created.

This is because when the `.spec.grpcPodConfig.securityContextConfig` is NOT SET in the CatalogSource, OLM treats the value's default as "legacy", which means that the Catalog Pod does NOT set the `restricted` securityContext, meaning that a Catalog pod will fail to run.

      Version-Release number of selected component (if applicable):

      4.15

      How reproducible:

      100%

      Steps to Reproduce:

      1. On a OCP 4.15 cluster, create a custom CatalogSource object without `.spec.grpcPodConfig.securityContextConfig` being specified

2. See if the CatalogSource Pod started successfully without errors.

      Actual results:

      1. the CatalogSource Pod fails to be created with the error like:
      status:
  message: >-
    couldn't ensure registry server - error ensuring pod: : error creating new
    pod: foobar-: pods "foobar-6ttkb" is forbidden:
    violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false
    (container "registry-server" must set
    securityContext.allowPrivilegeEscalation=false), unrestricted capabilities
    (container "registry-server" must set
    securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or
    container "registry-server" must set securityContext.runAsNonRoot=true),
    seccompProfile (pod or container "registry-server" must set
    securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  reason: RegistryServerError

      Expected results:

      The CatalogSource Pod started successfully by default without specifying `.spec.grpcPodConfig.securityContextConfig` as `restricted`

      Additional info:

              agreene1991 Alexander Greene (Inactive)
              rhn-coreos-tunwu Tony Wu
              Jian Zhang Jian Zhang
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: