Automatic LDAP Group sync: Warning: would violate PodSecurity "restricted:v1.24"

[gerg91]

Which section(s) is the issue in?

Automatically syncing LDAP groups: https://docs.okd.io/4.9/authentication/ldap-syncing.html#ldap-auto-syncing_ldap-syncing-groups

What needs fixing?

Just upgraded cluster to v4.11 and get the following message when following the instructions for setting up a ldap-sync Cronjob. The instructions worked with v4.10. Error is logged when the pod starts.

Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "ldap-group-sync" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "ldap-group-sync" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "ldap-group-sync" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "ldap-group-sync" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

I'm going to work through the suggestions in the error, but wanted to bring attention to the issue.

[bergerhoffer]

@stlaz Any thoughts on this?

[kalexand-rh]

@stlaz, will you PTAL?

[stlaz]

That's fine, the CronJob still gets created.

You're seeing this message because the pod in the CronJob template does not match the namespace's PodSecurity level but the SCC admission will fix this for you when the pod for the CronJob gets launched.