Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-4981

Container Security Operator does not have permissions in some OpenShift Namespaces

XMLWordPrintable

    • False
    • None
    • False

      In FedRAMP we're trying to tweak CSO to only scan Red Hat owned namespaces in customer clusters. When specifying `targetNamespaces` we're seeing errors that it can't get pods or ImageManVulns in a few namespaces. When this occurs, the operator never actually continues to move forward with the other namespaces so no ImageManVulns are created.

      When using the global setting (remove spec to apply to all namespaces), this issue does not occur and access permissions are fine.

      Interesting enough as well, if you start with setting global to scan all namespaces, then switch to using targetNamespaces, the issue also goes away. So it seems there is some issue with creating permissions/roles when using targetNamespaces that does not occur in global, but the permissions stick around if you edit the OG afterwards.

      The namespaces we've seen errors in so far are:
      openshift
      openshift-apiserver
      openshift-apiserver-operator
      openshift-sdn
      dedicated-admins

      This issue can also be seen in CRC for the openshift-apiserver namespace. This issue was present in both v.3.7.10 and v3.8.0

      I've attached some data to show the results and provide ways to test as well.

      Happy to provide any other info if you need it. Thanks!

            Unassigned Unassigned
            anatale.openshift Antony Natale
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: