Details
Critical Description
Developer story
As a developer, I want to resolve the pod creation failures due to PodSecurity admission, so that the e2e tests pass.
Engineering Details
{
"apiVersion": "v1",
"count": 1,
"eventTime": null,
"firstTimestamp": "2022-08-31T17:08:09Z",
"involvedObject": {
"apiVersion": "apps/v1",
"kind": "ReplicaSet",
"name": "windows-machine-config-operator-6b8946f6d",
"namespace": "openshift-windows-machine-config-operator",
"resourceVersion": "87842",
"uid": "9940d9f0-dc37-40ee-abcf-a1085f72ca81"
},
"kind": "Event",
"lastTimestamp": "2022-08-31T17:08:09Z",
"message": "Error creating: pods \"windows-machine-config-operator-6b8946f6d-8v5dj\" is forbidden: violates PodSecurity \"restricted:latest\": host namespaces (hostNetwork=true), allowPrivilegeEscalation != false (container \"manager\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"manager\" must set securityContext.capabilities.drop=[\"ALL\"]), seccompProfile (pod or container \"manager\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")",
"metadata": {
"creationTimestamp": "2022-08-31T17:08:09Z",
"name": "windows-machine-config-operator-6b8946f6d.17107cfd43028302",
"namespace": "openshift-windows-machine-config-operator",
"resourceVersion": "87848",
"uid": "3cee0759-5dee-4c03-925c-be09a59ed86f"
},
"reason": "FailedCreate",
"reportingComponent": "",
"reportingInstance": "",
"source": {
"component": "replicaset-controller"
},
"type": "Warning"
},
The above error was found in a CI job. See gather-extra
Resources to fix the PodSecurity admission issues:
- meeting
- Pod Security admission in OpenShift 4.11
- Oh no, my test pods won't create due to PodSecurity admission!
Acceptance Criteria
- Pod security policies are correctly applied in e2e tests
- e2e test pass
Attachments
Issue Links
- is related to
-
WINC-881 Adjust PodSecurity admission enforcement for WMCO
-
- Closed
-
- links to