Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-999

aws driver toolkit jobs are permafailing

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Undefined
    • None
    • 4.12.0
    • Driver Toolkit
    • None
    • False
    • Hide

      None

      Show
      None

    Description

      periodic-ci-openshift-release-master-nightly-4.12-e2e-aws-driver-toolkit is permafailing after the recent enforcement of pod security labels merged in https://github.com/openshift/cluster-kube-apiserver-operator/pull/1369.

      Example run:
      https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.12-e2e-aws-driver-toolkit/1567569860995584000

      Error message:

      #### Driver Toolkit e2e test ####
+ set_artifact_dir
+ '[' -z /logs/artifacts ']'
+ echo 'Using ARTIFACT_DIR=/logs/artifacts.'
Using ARTIFACT_DIR=/logs/artifacts.
+ oc version -o json
+ jq --raw-output .openshiftVersion
+ oc get clusterversion/version -oyaml
+ get_dtk_image_info
+ oc debug --image-stream=openshift/driver-toolkit:latest -n openshift --quiet -- bash -c 'echo "$SOURCE_GIT_URL/commit/$SOURCE_GIT_COMMIT"'
Error from server (Forbidden): pods "image-debug" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "debug" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "debug" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "debug" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "debug" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      Attachments

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-852 oc debug requires a user to create a namespace with specific security labels

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          relates to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. TRT-540 Track down lingering Pod Security issues

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          GitHub openshift/driver-toolkit#96: OCPBUGS-999: Use privileged namespace for oc debug commands

          Activity

            People

              stbenjam Stephen Benjamin
              stbenjam Stephen Benjamin
              Udi Kalifon Udi Kalifon (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: