Uploaded image for project: 'Operator Ecosystem'
  1. Operator Ecosystem
  2. OPECO-2535

Scorecard failed because of the request of PodSecurity

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • openshift-4.12
    • openshift-4.12
    • None
    • None
    • OSDK Sprint 225, OSDK Sprint 226, OSDK Sprint 227, OSDK Sprint 228, OSDK 229, OSDK 230, ODSK 231

      Description of problem:

      • operator sdk scorecard test failed because of the request of PodSecurity

      Version-Release number of selected component (if applicable):

      • operator-sdk version: "v1.22.0-ocp", commit: "9a16a5cb237880ee540f89d7768d93a3e4e1635e", kubernetes version: "v1.24.1", go version: "go1.18.1", GOOS: "linux", GOARCH: "amd64"
      • cluster version: 4.12.0-0.nightly-2022-09-07-112008

      How reproducible:

      • Always

      Steps to Reproduce:

      1. generate one operator and bundle
      2. operator-sdk init --plugins=ansible --domain example.com
      3. operator-sdk create api --group cache --version v1alpha1 --kind Memcached --generate-role
      4. make bundle
      5. scorecard test the operator bundle
      6. operator-sdk scorecard ./bundle -c ./bundle/tests/scorecard/config.yaml -w 60s --selector=test=olm-bundle-validation-test

      Actual results:

      operator-sdk scorecard ./bundle -c ./bundle/tests/scorecard/config.yaml -w 60s --selector=test=olm-bundle-validation-test
      --------------------------------------------------------------------------------
      Image:      quay.io/operator-framework/scorecard-test:v1.20.0
      Entrypoint: [scorecard-test olm-bundle-validation]
      Labels:
          "suite":"olm"
          "test":"olm-bundle-validation-test"
      Results:
          State: fail

          Errors:
              pods "scorecard-test-pgqs" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "scorecard-untar", "scorecard-test" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "scorecard-untar", "scorecard-test" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "scorecard-untar", "scorecard-test" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "scorecard-untar", "scorecard-test" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

       

      Expected results:

      operator-sdk scorecard ./bundle -c ./bundle/tests/scorecard/config.yaml -w 60s --selector=test=olm-bundle-validation-test
      --------------------------------------------------------------------------------
      Image:      quay.io/operator-framework/scorecard-test:v1.20.0
      Entrypoint: [scorecard-test olm-bundle-validation]
      Labels:
          "suite":"olm"
          "test":"olm-bundle-validation-test"
      Results:
          State: Success

      Additional info:

       

       

              lpandhar@redhat.com Laxmikant Bhaskar Pandhare (Inactive)
              rhn-support-jfan Jia Fan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: