grafana-operator
grafana-operator copied to clipboard
grafana
Openshift v4.13 Grafana Operator installation failing to comply Gatekeeper constraints
Is your feature request related to a problem? Please describe. Have installed Gatekeeper constraints on OpenShift v4.13. Trying to install Grafana Operator v4.10.1, but failing to comply admission policy during installation.
(If applicable)If your feature request solves a bug please provide a link to the community issue Tried to look into the issue but cant find.
Describe the solution you'd like By default Operator should adhere best security admission control policy
Describe alternatives you've considered it does work Out of Box SCC in OpenShift platform
Additional context
failing Policies
FailedCreate replicaset/grafana-operator-controller-manager-7bc44bcd94 Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [read-only-root-filesystem] only read-only root filesystem container is allowed: kube-rbac-proxy...
FailedCreate replicaset/grafana-operator-controller-manager-7bc44bcd94 Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [container-must-have-limits] container
Existing solutions We can add image or namespace in exemption list and make it work
@a-thorat , I agree with you. How do you deploy the operator? I have spent lots of energy trying to get the grafana instance itself to follow best practices, but I as you say we haven't prioritized grafana-operator itself as much.
We would love to get a PR within the area for all our deployments.
But we will not follow container-must-have-limits for CPU limits, as discussed here: https://github.com/grafana-operator/grafana-operator/pull/1163
Do you have time to create a PR?
