Bug 2091864
| Summary: | Registry Pod don't have "securityContext.runAsNonRoot=true" config that generated by run bundle | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Fan Jia <jfan> |
| Component: | Operator SDK | Assignee: | Rashmi Gottipati <rgottipa> |
| Status: | CLOSED ERRATA | QA Contact: | Fan Jia <jfan> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.11 | CC: | cchantse, dageoffr, stevsmit |
| Target Milestone: | --- | ||
| Target Release: | 4.12.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
* With this update, you can now set the security context for the registry pod by including the `securityContext` configuration field in the pod specification. This will apply the security context for all containers in the pod. The `securityContext` field also defines the pod's privileges. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2091864[*BZ#2091864*])
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-01-17 19:49:30 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi Jia, Is `quay.io/xxxx/blacklist-bundle:v4.10` the actual image that you are seeing this behavior with? Let me know. Thanks, Rashmi Ah, never mind. I'm able to reproduce this issue. Created PR https://github.com/operator-framework/operator-sdk/pull/5931 to fix this bug. Created PR https://github.com/operator-framework/operator-sdk/pull/5931 to fix this bug. https://github.com/operator-framework/operator-sdk/pull/5931 is merged upstream, so this should add the SecurityContext config to the registry pod configuration. operator-sdk version: "v1.22.0-21-ge7c9b74e", commit: "e7c9b74e20ab2dd17ab246c8c9e867b8c9b5b079", kubernetes version: "v1.24.1", go version: "go1.18.3", GOOS: "linux", GOARCH: "amd64" test result: /apis/apps/v1/namespaces/test123/deployments/blacklist-controller-manager would violate PodSecurity "restricted:v1.24": seccompProfile (pod or containers "kube-rbac-proxy", "manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/test123/deployments would violate PodSecurity "restricted:v1.24": seccompProfile (pod or containers "kube-rbac-proxy", "manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/test123/replicasets would violate PodSecurity "restricted:v1.24": seccompProfile (pod or containers "kube-rbac-proxy", "manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/batch/v1/namespaces/test123/jobs would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (containers "util", "pull", "extract" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "util", "pull", "extract" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "util", "pull", "extract" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "util", "pull", "extract" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") The registry pod meets the security request. Will add a new bug to trace the other pods' security context problem. The epic created to track this delivery in 4.12: https://issues.redhat.com/browse/OLM-2600 Thanks for confirming. As I've mentioned in offline chat, registry pod created by SDK during `run bundle` meets the security requirements and the other pods generated by OLM needs to meet security requirements. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:7399 |
Description of problem: Registry pod and job back pod don't have "securityContext.runAsNonRoot=true" config which are generated by "run bundle(bundle-upgrade)". Version-Release number of selected component (if applicable): operator-sdk version: "v1.20.0-ocp", commit: "deb99d5a456fa32c3153de89d940ee05b603c83b", kubernetes version: "v1.23", go version: "go1.17.4", GOOS: "linux", GOARCH: "amd64" How reproducible: always Steps to Reproduce: 1.operator-sdk run bundle quay.io/xxxx/blacklist-bundle:v4.10 2.oc get pods NAME READY STATUS RESTARTS AGE 540b848f2d7df023d484f69b046bcabbd16eaa24aca46c66cd48a78c6bnmbqd 0/1 Completed 0 34m blacklist-controller-manager-76886d597f-zzgh7 2/2 Running 0 34m quay-io-xxxx-blacklist-bundle-v4-10 1/1 Running 0 34m Actual results: 1. oc get pod quay-io-xxxx-blacklist-bundle-v4-10 -o yaml | grep "securityContext" -A1 f:securityContext: {} f:terminationGracePeriodSeconds: {} -- securityContext: {} serviceAccount: default 2.$ oc get pod 540b848f2d7df023d484f69b046bcabbd16eaa24aca46c66cd48a78c6bnmbqd -o yaml | grep "securityContext" -A1 securityContext: {} serviceAccount: default Expected results: 1. oc get pod quay-io-xxxx-blacklist-bundle-v4-10 -o yaml | grep "securityContext" -A1 f:securityContext: {} f:terminationGracePeriodSeconds: {} -- securityContext: runAsNonRoot: true serviceAccount: default 2.$ oc get pod 540b848f2d7df023d484f69b046bcabbd16eaa24aca46c66cd48a78c6bnmbqd -o yaml | grep "securityContext" -A1 securityContext: runAsNonRoot: true serviceAccount: default Additional info: