Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-4372

Failed to run triggers eventlistener on restricted cluster

XMLWordPrintable

    • 1
    • False
    • None
    • False
    • Hide
      * Added new field default-run-as-non-root to configmap so that RunAsNonRoot can be now configured through config-defaults-triggers ConfigMap
         * Defaults values for RunAsNonRoot is true
      * Added new fields default-run-as-user and default-run-as-group to config-defaults-triggers configmap so that RunAsUser and RunAsGroup can be now configured through ConfigMap
         * Defaults values for RunAsUser and RunAsGroup 65532
      Show
      * Added new field default-run-as-non-root to configmap so that RunAsNonRoot can be now configured through config-defaults-triggers ConfigMap    * Defaults values for RunAsNonRoot is true * Added new fields default-run-as-user and default-run-as-group to config-defaults-triggers configmap so that RunAsUser and RunAsGroup can be now configured through ConfigMap    * Defaults values for RunAsUser and RunAsGroup 65532
    • 2
    • Pipelines Sprint Pioneers 2, Pipelines Sprint Pioneers 3, Pipelines Sprint Pioneers 4, Pipelines Sprint Pioneers 5, Pipelines Sprint Pioneers 6, Pipelines Sprint Pioneers 7, Pipelines Sprint Pioneers 8, Pipelines Sprint Pioneers 9, Pipelines Sprint Pioneers 10, Pipelines Sprint Pioneers 11

      Description of problem:{}

      The pipelines-scc is missing the seccompProfile of type RuntimeDefault to allow the tekton EventListener to run with el-security-context=true. 

      Prerequisites (if any, like setup, operators/versions):

      Steps to Reproduce

      • set security context to restricted for a namespace
      • set el-security-context=true in the tektonconfig
      • create EventListener in that namespace
      • EventListener pod will not start

      Actual results:

       

      - lastTransitionTime: "2024-03-25T09:01:01Z"
      message: 'pods "el-cad-event-listener-6556ff4b48-sl48m" is forbidden: violates
        PodSecurity "restricted:latest": unrestricted capabilities (container "event-listener"
        must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true
        (pod or container "event-listener" must set securityContext.runAsNonRoot=true),
        seccompProfile (pod or container "event-listener" must set securityContext.seccompProfile.type
        to "RuntimeDefault" or "Localhost")'
      reason: FailedCreate
      status: "True"
      type: ReplicaFailure

       

       

      Expected results:

      • pipelines-scc has a set seccompProfile of type RuntimeDefault
      • EventListener pod can start

        Reproducibility (Always/Intermittent/Only Once):

        Acceptance criteria: 

       

      Definition of Done:

      Build Details:

      Additional info (Such as Logs, Screenshots, etc):

      The pipelines-scc needs to additionally list the seccompProfile

      $ oc get scc pipelines-scc
...
+ seccompProfiles: # THIS IS MISSING
+ - runtime/default  

# This is required as enabling `-el-security-context results in the following securityContext for the event listener :
         securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
            type: RuntimeDefault

              sashture Savita .
              cbusse.openshift Claudio Busse
              abdeljawed khelil abdeljawed khelil
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: