Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-8277

Kiali test suites are not able to run on OCP 4.18-ec2 fips

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • OSSM 2.6.2
    • OSSM 2.6.2
    • Kiali, Maistra, QE
    • None

      Job: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-maistra-maistra-test-tool-main-servicemesh-ocp4.18-lp-interop-servicemesh-interop-aws-fips/1845659434668265472

      Lots of Kiali int tests failed.
      Cypress test could not start because the sleep application could not get into a ready state.

      issue1 ===
      Kiali int tests failed because traffic generator pod was not working.
      The init script are not able to run `traffic-generator` due to

      Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "kiali-traffic-generator" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "kiali-traffic-generator" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "kiali-traffic-generator" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "kiali-traffic-generator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      issue2 ===
      The sleep app is not working due to a similar error:

      Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "sleep" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sleep" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sleep" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "sleep" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      Issue3 ===
      After the traffic generator was fixed, one kiali integration test failed on a similar error:

      {"level":"error","time":"2024-10-17T14:34:14Z","message":"Err: 'exit status 1'. stderr: 'Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"reviews\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"reviews\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"reviews\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"reviews\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")\nError from server (Forbidden): error when creating \"/home/fedora/kiali/tests/integration/assets/bookinfo-workloads.yaml\": pods \"details-v2\" is forbidden: violates PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"details\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"details\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"details\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"details\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")\n'."}
    workloads_test.go:102: 
{"level":"error","time":"2024-10-17T14:34:14Z","message":"exit status 1"}

      Issue4 ===
      I have noticed that USER 1000 was added into bookinfo app by this commit https://github.com/istio/istio/commit/21f450960ce820ada1e125529a843ac8fb55f054 and it is available only from bookinfo 1.19.1
      so for 1.65, the issue happens also for bookinfo app, so I need to update bookinfo app in the same way as sleep app ( remove custom scc, and use only anyuid scc [add there if it is not defined in the code yet] )

      Issue5 ===

      Not able to install upstream istio + kiali main on OCP 4.18 since the same security errors are in Grafana and Prometheus deployments.
      Grafana

      pods "grafana-f459cd95-6562f" is forbidden: violates PodSecurity "restricted:latest": runAsNonRoot != true (pod or container "grafana" must set securityContext.runAsNonRoot=true)

      Prometheus

      pods "prometheus-84676b8788-srdx2" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "prometheus-server-configmap-reload", "prometheus-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "prometheus-server-configmap-reload", "prometheus-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "prometheus-server-configmap-reload", "prometheus-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "prometheus-server-configmap-reload", "prometheus-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      Since they are deployed by istioctl (`./install-istio-via-istioctl.sh iee true -m true -cn cluster-default -cp openshift -gae true`) -the issue needs to be resolved in upstream, not in kiali repo. ( that script is in kiali repo so that script needs also update )

      =======

      Upstream issues:
      https://github.com/kiali/kiali-test-mesh/issues/77
      https://github.com/kiali/kiali/issues/7837

            mkralik@redhat.com Matej Kralik
            mkralik@redhat.com Matej Kralik
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: