Description of problem: /apis/batch/v1/namespaces/jian/jobs would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (containers "util", "pull", "extract" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "util", "pull", "extract" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "util", "pull", "extract" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "util", "pull", "extract" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Version-Release number of selected component (if applicable): mac:~ jianzhang$ oc exec catalog-operator-66cb8fd8c5-j7vkx -- olm --version OLM version: 0.19.0 git commit: 8c2bd46147a90d58e98de73d34fd79477769f11f mac:namespaces jianzhang$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.11.0-0.nightly-2022-06-25-081133 True False 10h Cluster version is 4.11.0-0.nightly-2022-06-25-081133 How reproducible: always Steps to Reproduce: 1, Create a CatalogSource in a project called 'jian'. mac:~ jianzhang$ cat cs-qe.yaml apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: qe-app-registry namespace: jian spec: displayName: Production Operators image: quay.io/openshift-qe-optional-operators/ocp4-index:latest publisher: OpenShift QE sourceType: grpc updateStrategy: registryPoll: interval: 15m mac:~ jianzhang$ oc create -f cs-qe.yaml catalogsource.operators.coreos.com/qe-app-registry created 2, subscribe an operator from it. mac:~ jianzhang$ cat sub-learn.yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: learn namespace: jian spec: channel: beta installPlanApproval: Automatic name: learn source: qe-app-registry sourceNamespace: jian startingCSV: learn-operator.v0.0.3 mac:~ jianzhang$ oc create -f sub-learn.yaml subscription.operators.coreos.com/learn created mac:~ jianzhang$ oc get pods -n jian NAME READY STATUS RESTARTS AGE 552b4660850a7fe1e1f142091eb5e4305f18af151727c56f70aa5dffc1dg8cg 0/1 Completed 0 71s learn-operator-666b687bfb-7qppm 1/1 Running 0 50s qe-app-registry-hbzxg 1/1 Running 0 4m23s 3, Run the above security script, get the below error: mac:namespaces jianzhang$ cat ~/security_test.sh # All workloads creation is audited on masters with below annotation. Below cmd checks all workloads that would violate PodSecurity. cat > cmd.txt << EOF grep -hir 'would violate PodSecurity' /var/log/kube-apiserver/ | jq -r '.requestURI + " " + .annotations."pod-security.kubernetes.io/audit-violations"' EOF CMD="`cat cmd.txt`" oc new-project jian-test # With admin, run above cmd on all masters: MASTERS=`oc get no | grep master | grep -o '^[^ ]*'` for i in $MASTERS do oc debug -n jian-test no/$i -- chroot /host bash -c "$CMD || true" done > all-violations.txt cat all-violations.txt | grep -E 'namespaces/(openshift-marketplace|jian)' | sort | uniq > all-violations_system_components.txt cat all-violations_system_components.txt /apis/batch/v1/namespaces/jian/jobs would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (containers "util", "pull", "extract" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "util", "pull", "extract" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "util", "pull", "extract" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "util", "pull", "extract" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Actual results: Registry Pod(not in the openshift-marketplace project) created by CatalogSource does not have configurable `securitycontextconstraints` Expected results: Registry Pod(not in the openshift-marketplace project) created by CatalogSource should have configurable `securitycontextconstraints` Additional info:
Closing this in favor of the epic created to track this delivery in 4.12: https://issues.redhat.com/browse/OLM-2600