OpenShift PodSecurity is restricted #67

c3d · 2022-08-26T09:39:17Z

Describe the bug
The recently introduced PodSecurity restrictions prevent the install instructions from working on recent builds of OpenShift.

To Reproduce
Steps to reproduce the behavior:

Create an OpenShift cluster with a version that has the new PodSecurity policy in place (I see this with Server Version: 4.11.0-0.nightly-2022-06-23-044003 and Kubernetes Version: v1.24.0+284d62a)
Run the command: oc apply -f https://raw.githubusercontent.com/confidential-containers/operator/main/deploy/deploy.yaml
Check output for warnings

Describe the results you expected
As indicated in the documentation, this should deploy the operator successfully

Describe the results you received:
There is a warning message:

W0826 09:23:44.489489 3713080 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "kube-rbac-proxy" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "kube-rbac-proxy", "manager" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or containers "kube-rbac-proxy", "manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

The steps after that in the install documentation do not work:

% oc apply   -f https://raw.githubusercontent.com/confidential-containers/operator/main/config/samples/ccruntime.yaml                                                                                                                                                                      
ccruntime.confidentialcontainers.org/ccruntime-sample created
% oc get pods
NAME                                             READY   STATUS    RESTARTS   AGE
cc-operator-controller-manager-dc4846d94-2g9sf   2/2     Running   0          10m
# oc get runtimeclass
No resources found

Note the lack of any daemon-install in the above, and the resulting lack of a RuntimeClass

Additional context

Nothing really obvious in the logs indicating that the operator is even aware there was a problem:
manager.log

The text was updated successfully, but these errors were encountered:

bpradipt · 2022-08-26T09:46:57Z

@c3d can you add the following labels to the namespace and retry

openshift.io/cluster-monitoring=true
pod-security.kubernetes.io/enforce=privileged
pod-security.kubernetes.io/audit=privileged
pod-security.kubernetes.io/warn=privileged

c3d · 2022-08-26T10:28:43Z

@bpradipt As discussed on Slack, this does not really help. Furthermore, as you pointed out, since there is no support for CRIO, this is a dead end. Leaving this issue open for now, since we'll need to revisit at some point, but it's still too early.

ariel-adam · 2022-10-11T13:27:03Z

@c3d is this issue still relevant or can be closed?
If it's still relevant to what release do you think we should map it to (mid-November, end-December, mid-February etc...)?

c3d · 2022-10-11T18:34:48Z

@ariel-adam It's a bit too early to attack this kind of problem, but at some point we will need to tackle it. Either we close it now, but figure out a way to remember that we need to address it, or we keep it open and it says in our way for a long time. Which one do you prefer?

ariel-adam · 2022-10-12T09:37:37Z

I think in this case we map it to the CoCo releases project without a specific drop so it will be part of our backlog.
If we see that it's backlog log for a long time (a year for example) that would be a good signal to close it :-)

veluruchaithanya mentioned this issue Aug 16, 2024

Support CRIO runtime-based Kubernetes Clusters #418

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OpenShift PodSecurity is restricted #67

OpenShift PodSecurity is restricted #67

OpenShift PodSecurity is restricted #67

OpenShift PodSecurity is restricted #67

Comments