Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: 4.12.z
Affects Version/s: 4.12
Component/s: oc
Labels:
None

Test Coverage:

?
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
The {product-title} {product-version} release fixes an issue with entering a debug session on a target node when the target namespace lacks the appropriate security level. This caused the `oc` CLI to prompt you with a pod security error message.

If the existing namespace does not contain the appropriate security levels, {product-title} now creates a temporary namespace when you enter `oc` debug mode on a target node.

(link:https://issues.redhat.com/browse/OCPBUGS-852[*~~OCPBUGS-852~~*])

Show
The {product-title} {product-version} release fixes an issue with entering a debug session on a target node when the target namespace lacks the appropriate security level. This caused the `oc` CLI to prompt you with a pod security error message. If the existing namespace does not contain the appropriate security levels, {product-title} now creates a temporary namespace when you enter `oc` debug mode on a target node. (link: https://issues.redhat.com/browse/OCPBUGS-852 [* OCPBUGS-852 *])
Release Note Type:
Bug Fix
Release Note Status:
Done
Target Version:

4.12.0

SFDC Cases Counter:
SFDC Cases Links:

Description

Description of problem:

When a user tries to run `oc debug,` they end up getting errors about pod security labels:

 Ensure the target namespace has the appropriate security level set or consider creating a dedicated privileged namespace using:
	"oc create ns <namespace> -o yaml | oc label -f - security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged".
Original error:
pods "ip-10-0-129-209ec2internal-debug" is forbidden: violates PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true, hostIPC=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
command failed, 3 retries left

This happens since https://docs.openshift.com/container-platform/4.11/authentication/understanding-and-managing-pod-security-admission.html

Fixing it requires the user running something like

oc create ns fips-check -o yaml | \
  oc label -f - \
  security.openshift.io/scc.podSecurityLabelSync=false \
  pod-security.kubernetes.io/enforce=privileged \
  pod-security.kubernetes.io/audit=privileged \
  pod-security.kubernetes.io/warn=privileged

Version-Release number of selected component (if applicable):

4.12

How reproducible:

Always

Steps to Reproduce:

1. Try to run `oc debug node/....` in a new namespace

Actual results:

Error message

Expected results:

oc debug works without the user having to perform additional steps. If namespace is omitted, perhaps oc debug could create a temporary one with the correct pod security labels?

Additional info:

Attachments

Issue Links

duplicates

OCPBUGS-994 Need label pod-security for ns default to create pods under default project

Closed

is duplicated by

OCPBUGS-372 Debug pod causes PodSecurity warning

Closed

relates to

TRT-540 Track down lingering Pod Security issues

Closed

OCPBUGS-999 aws driver toolkit jobs are permafailing

Closed

links to

openshift/oc#1236: OCPBUGS-852: cli/debug: Create temporary namespace for node debugging

Activity

People

Assignee:: Arda Guclu

Reporter:: Stephen Benjamin

QA Contact:: ying zhou

Doc Contact:: Darragh Fitzmaurice

Votes:: 2 Vote for this issue

Watchers:: 16 Start watching this issue

Dates

Created:: 2022/09/02 11:06 AM

Updated:: 2024/02/15 3:28 PM

Resolved:: 2023/01/17 7:38 PM