Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-992

Document namespaces where workloads should not be ran

XMLWordPrintable

    • Informational
    • None
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem: When attempting to create a pod in the `default` namespace, the request was rejected because the pod did not meet PSA namespace requirements:
      ```
      error creating new pod: oo-g4t6w-: pods "oo-g4t6w-xlt6m" is forbidden: violates PodSecurity "restricted:latest": runAsNonRoot != true (pod or container "registry-server" must set securityContext.runAsNonRoot=true)
      ```

      This same pod could run in the `foo` namespace I created. The pod failed to meet the PSA Namespace requirements in the `default` namespace because:
      1) the securityContext wasn't fully specified/sufficiently specified to meet the PSA requirements.
      2) the default namespace doesn't run SCC admission, which would normally(when the pod otherwise qualifies into an appropriate SCC such as restricted-v2) populate/set the additional securityContext fields in such a way that the pod would meet the PSA requirements.

      I spoke with Standa Laznicka who provided this (possibly incomplete) list of namespaces where workloads should not be ran:

      • kube-public
      • kube-system
      • openshift
      • openshift-config
      • openshift-config-managed
      • default

      Currently, there is no customer facing documentation that users may reference to know which namespaces workloads should not be ran in. It would be great to highlight this information to avoid confusion in the future.

      Version-Release number of selected component (if applicable): 4.12.0

      How reproducible: Always

      Steps to Reproduce:
      1. Attempt to create a pod in the default namespace

              rhn-support-ahoffer Andrea Hoffer
              agreene1991 Alexander Greene (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: