Major Description of problem:
To add the operator installation to the nightly tests, the install-catalog-source.sh is needed to have the CI builds tested instead of the GA. However, the script relies on podman which makes syscalls. Thus the 'user' running the script in the container does not have the privilege to run it. The privilege needed is not something that we can get in Prow CI.
From forum-ocp-testplatform:
"As far as I know, other than a particular use case, that is: an initContainer that sets up a VPN, users' tests run with standard SELinux context, no root. I can't tell whether there is a test somewhere running podman , but if you have such a requirement I'd suggest you to:
collect the syscalls and/or permissions/capabilities/contexts you need
come to us and explain what it's required
I'll present those in front of the team and then we will decide what to do next. No promises, we are strict in terms of security."
Possible solutions:
- Remove the need for podman/ any command that requires syscalls to be made form the script
- Request the specific privilege for the syscalls like mentioned above
Prerequisites (if any, like setup, operators/versions):
Steps to Reproduce
- <steps>
Actual results:
Expected results:
Reproducibility (Always/Intermittent/Only Once):
Build Details:
Additional info (Such as Logs, Screenshots, etc):
- is caused by
-
RHIDP-4338 Installation of RHDH Operator Fails When Using (unsupported) Script against clusters with hosted control planes (IBM Cloud, HyperShift, ROSA, ...)
-
- Closed
-
- links to
