-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
2
-
False
-
None
-
False
-
-
-
Pipelines Sprint Pioneers 2, Pipelines Sprint Pioneers 3
Description of problem:{}
The pipelines-scc is missing the seccompProfile of type RuntimeDefault to allow the tekton EventListener to run with el-security-context=true.
Prerequisites (if any, like setup, operators/versions):
Steps to Reproduce
- set security context to restricted for a namespace
- set el-security-context=true in the tektonconfig
- create EventListener in that namespace
- EventListener pod will not start
Actual results:
- lastTransitionTime: "2024-03-25T09:01:01Z" message: 'pods "el-cad-event-listener-6556ff4b48-sl48m" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "event-listener" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "event-listener" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "event-listener" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")' reason: FailedCreate status: "True" type: ReplicaFailure
Expected results:
- pipelines-scc has a set seccompProfile of type RuntimeDefault
Definition of Done:
Build Details:
Additional info (Such as Logs, Screenshots, etc):
The pipelines-scc needs to additionally list the seccompProfile
$ oc get scc pipelines-scc ... + seccompProfiles: # THIS IS MISSING + - runtime/default # This is required as enabling `-el-security-context results in the following securityContext for the event listener : securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault