Description of problem: Registry pod and job back pod don't have "securityContext.runAsNonRoot=true" config which are generated by "run bundle(bundle-upgrade)". Version-Release number of selected component (if applicable): operator-sdk version: "v1.20.0-ocp", commit: "deb99d5a456fa32c3153de89d940ee05b603c83b", kubernetes version: "v1.23", go version: "go1.17.4", GOOS: "linux", GOARCH: "amd64" How reproducible: always Steps to Reproduce: 1.operator-sdk run bundle quay.io/xxxx/blacklist-bundle:v4.10 2.oc get pods NAME READY STATUS RESTARTS AGE 540b848f2d7df023d484f69b046bcabbd16eaa24aca46c66cd48a78c6bnmbqd 0/1 Completed 0 34m blacklist-controller-manager-76886d597f-zzgh7 2/2 Running 0 34m quay-io-xxxx-blacklist-bundle-v4-10 1/1 Running 0 34m Actual results: 1. oc get pod quay-io-xxxx-blacklist-bundle-v4-10 -o yaml | grep "securityContext" -A1 f:securityContext: {} f:terminationGracePeriodSeconds: {} -- securityContext: {} serviceAccount: default 2.$ oc get pod 540b848f2d7df023d484f69b046bcabbd16eaa24aca46c66cd48a78c6bnmbqd -o yaml | grep "securityContext" -A1 securityContext: {} serviceAccount: default Expected results: 1. oc get pod quay-io-xxxx-blacklist-bundle-v4-10 -o yaml | grep "securityContext" -A1 f:securityContext: {} f:terminationGracePeriodSeconds: {} -- securityContext: runAsNonRoot: true serviceAccount: default 2.$ oc get pod 540b848f2d7df023d484f69b046bcabbd16eaa24aca46c66cd48a78c6bnmbqd -o yaml | grep "securityContext" -A1 securityContext: runAsNonRoot: true serviceAccount: default Additional info:
Hi Jia, Is `quay.io/xxxx/blacklist-bundle:v4.10` the actual image that you are seeing this behavior with? Let me know. Thanks, Rashmi
Ah, never mind. I'm able to reproduce this issue.
Created PR https://github.com/operator-framework/operator-sdk/pull/5931 to fix this bug.
https://github.com/operator-framework/operator-sdk/pull/5931 is merged upstream, so this should add the SecurityContext config to the registry pod configuration.
operator-sdk version: "v1.22.0-21-ge7c9b74e", commit: "e7c9b74e20ab2dd17ab246c8c9e867b8c9b5b079", kubernetes version: "v1.24.1", go version: "go1.18.3", GOOS: "linux", GOARCH: "amd64" test result: /apis/apps/v1/namespaces/test123/deployments/blacklist-controller-manager would violate PodSecurity "restricted:v1.24": seccompProfile (pod or containers "kube-rbac-proxy", "manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/test123/deployments would violate PodSecurity "restricted:v1.24": seccompProfile (pod or containers "kube-rbac-proxy", "manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/test123/replicasets would violate PodSecurity "restricted:v1.24": seccompProfile (pod or containers "kube-rbac-proxy", "manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/batch/v1/namespaces/test123/jobs would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (containers "util", "pull", "extract" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "util", "pull", "extract" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "util", "pull", "extract" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "util", "pull", "extract" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") The registry pod meets the security request. Will add a new bug to trace the other pods' security context problem.
The epic created to track this delivery in 4.12: https://issues.redhat.com/browse/OLM-2600
Thanks for confirming. As I've mentioned in offline chat, registry pod created by SDK during `run bundle` meets the security requirements and the other pods generated by OLM needs to meet security requirements.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:7399