Details
Description
Developer story
As a developer, I want to resolve the pod creation failures due to PodSecurity admission, so that the e2e tests pass.
Engineering Details
{ "apiVersion": "v1", "count": 1, "eventTime": null, "firstTimestamp": "2022-08-31T17:08:09Z", "involvedObject": { "apiVersion": "apps/v1", "kind": "ReplicaSet", "name": "windows-machine-config-operator-6b8946f6d", "namespace": "openshift-windows-machine-config-operator", "resourceVersion": "87842", "uid": "9940d9f0-dc37-40ee-abcf-a1085f72ca81" }, "kind": "Event", "lastTimestamp": "2022-08-31T17:08:09Z", "message": "Error creating: pods \"windows-machine-config-operator-6b8946f6d-8v5dj\" is forbidden: violates PodSecurity \"restricted:latest\": host namespaces (hostNetwork=true), allowPrivilegeEscalation != false (container \"manager\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"manager\" must set securityContext.capabilities.drop=[\"ALL\"]), seccompProfile (pod or container \"manager\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")", "metadata": { "creationTimestamp": "2022-08-31T17:08:09Z", "name": "windows-machine-config-operator-6b8946f6d.17107cfd43028302", "namespace": "openshift-windows-machine-config-operator", "resourceVersion": "87848", "uid": "3cee0759-5dee-4c03-925c-be09a59ed86f" }, "reason": "FailedCreate", "reportingComponent": "", "reportingInstance": "", "source": { "component": "replicaset-controller" }, "type": "Warning" },
The above error was found in a CI job. See gather-extra
Resources to fix the PodSecurity admission issues:
- meeting
- Pod Security admission in OpenShift 4.11
- Oh no, my test pods won't create due to PodSecurity admission!
Acceptance Criteria
- Pod security policies are correctly applied in e2e tests
- e2e test pass
Attachments
Issue Links
- is related to
-
WINC-881 Adjust PodSecurity admission enforcement for WMCO
- Closed
- links to