Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-3707

NFD operator default namespace openshift-nfd needs specific pod security labels added for OCP 4.12

    XMLWordPrintable

Details

    • Important
    • Proposed
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      When deploying the NFD bundle on OCP 4.12 nightly build 4.12.0-0.nightly-2022-11-04-065711 with kubernetes 1.25, the bundle fails to deploy unless the namespace it is deployed in is labeled with the following labels:

security.openshift.io/scc.podSecurityLabelSync=false 
pod-security.kubernetes.io/enforce=privileged
pod-security.kubernetes.io/audit=privileged 
pod-security.kubernetes.io/warn=privileged

These labels also need to be added to the "openshift-nfd" default namespace which is created when deploying NFD operator from OperatorHub in OpenShift console.  Otherwise the nfd-worker pods will fail to deploy when the nodefeaturediscovery instance is created.


# operator-sdk run bundle "quay.io/wabouham/nfd-operator-bundle:4.12.20221107" -n openshift-nfd
INFO[0001] Creating a File-Based Catalog of the bundle "quay.io/wabouham/nfd-operator-bundle:4.12.20221107" 
INFO[0001] Generated a valid File-Based Catalog         
FATA[0001] Failed to run bundle: create catalog: error creating registry pod: error creating pod: pods "quay-io-wabouham-nfd-operator-bundle-4-12-20221107" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "registry-grpc" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "registry-grpc" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "registry-grpc" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "registry-grpc" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") 

# oc label ns openshift-nfd security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged --overwrite
namespace/openshift-nfd labeled

# oc describe ns openshift-nfd
Name:         openshift-nfd
Labels:       kubernetes.io/metadata.name=openshift-nfd
              pod-security.kubernetes.io/audit=privileged
              pod-security.kubernetes.io/enforce=privileged
              pod-security.kubernetes.io/warn=privileged
              security.openshift.io/scc.podSecurityLabelSync=false
Annotations:  openshift.io/sa.scc.mcs: s0:c26,c25
              openshift.io/sa.scc.supplemental-groups: 1000700000/10000
              openshift.io/sa.scc.uid-range: 1000700000/10000
Status:       Active


No resource quota.


No LimitRange resource.

# operator-sdk run bundle "quay.io/wabouham/nfd-operator-bundle:4.12.20221107" -n openshift-nfd
INFO[0002] Creating a File-Based Catalog of the bundle "quay.io/wabouham/nfd-operator-bundle:4.12.20221107" 
INFO[0002] Generated a valid File-Based Catalog         
INFO[0006] Created registry pod: quay-io-wabouham-nfd-operator-bundle-4-12-20221107 
INFO[0006] Created CatalogSource: nfd-catalog           
INFO[0006] OperatorGroup "operator-sdk-og" created      
INFO[0006] Created Subscription: nfd-v4-12-20221107-sub 
INFO[0011] Approved InstallPlan install-4tt59 for the Subscription: nfd-v4-12-20221107-sub 
INFO[0011] Waiting for ClusterServiceVersion "openshift-nfd/nfd.v4.12.20221107" to reach 'Succeeded' phase 
INFO[0011]   Waiting for ClusterServiceVersion "openshift-nfd/nfd.v4.12.20221107" to appear 
INFO[0028]   Found ClusterServiceVersion "openshift-nfd/nfd.v4.12.20221107" phase: Pending 
INFO[0031]   Found ClusterServiceVersion "openshift-nfd/nfd.v4.12.20221107" phase: InstallReady 
INFO[0032]   Found ClusterServiceVersion "openshift-nfd/nfd.v4.12.20221107" phase: Installing 
INFO[0042]   Found ClusterServiceVersion "openshift-nfd/nfd.v4.12.20221107" phase: Succeeded 
INFO[0042] OLM has successfully installed "nfd.v4.12.20221107"

      Version-Release number of selected component (if applicable):

      Kustomize Version: v4.5.4
Server Version: 4.12.0-0.nightly-2022-11-04-065711
Kubernetes Version: v1.25.2+6b47915

      How reproducible:

      Always

      Steps to Reproduce:

      on OCP 4.12 nightly:
1. oc create ns openshift-nfd
2. deploy NFD bundle in the openshift-nfd namespace:  operator-sdk run bundle "quay.io/wabouham/nfd-operator-bundle:4.12.20221107" -n openshift-nfd

      Actual results:

      FATA[0001] Failed to run bundle: create catalog: error creating registry pod: error creating pod: pods "quay-io-wabouham-nfd-operator-bundle-4-12-20221107" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "registry-grpc" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "registry-grpc" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "registry-grpc" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "registry-grpc" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      Expected results:

      NFD Operator bundle should be deployed successfully (see Description field)

      Additional info:

       

      Attachments

        Issue Links

          is depended on by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-3789 NFD operator default namespace openshift-nfd needs specific pod security labels added for OCP 4.12

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              yshnaidm Yevgeny Shnaidman
              walid@redhat.com Walid Abouhamad
              Guy Gordani Guy Gordani
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: