helm-charts
helm-charts copied to clipboard
redhat-cop
DRAFT: operators-installer - fix warnings about unset securitycontext configuration
What is this PR About?
fix warning messages about security context information not set in jobs when applying against openshift
Warning 1
Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "installplan-approver" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "installplan-approver" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "installplan-approver" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "installplan-approver" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Warning 2
Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "installplan-complete-verifier" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "installplan-complete-verifier" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "installplan-complete-verifier" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "installplan-complete-verifier" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
How do we test this?
the built in tests should ensure no regression.
i manually tested applying against a 4.12 openshift cluster and checking that the warning messages went away.
cc: @redhat-cop/day-in-the-life
force a re-test with no changes as it seems the last round of tests failed due to random kind cluster time outs
there is an actual bug with the tests, kind is running the job pod as root so conflicting with the runasnonroot...
this is a bigger rabbit whole then i thought and i already waisted a bunch of time.
summery of the problem. kind does not have mutating admision controls that set the runAsUser like an openshift cluster does, so container runs as root since thats what hte image specifies. but the ssc is saying, dont run as root, so jobs fail to run on kind cluster.
i can set the runAsUser to something other then 0 and it runs fine on kind, but then it wont run on openshfit without "runasanyid".
could add in some flag to set the runAsUser when running tests, but that is annoying.
i went down rabbit whole of tyring to put an admission controller on the kind server which would set the uid. stakrox even has one. https://github.com/stackrox/admission-controller-webhook-demo. buuuuttttt.. it hasn't been udpated to work with the released spec of admission controller, its still on beta. someone has a PR to try and fix that, i tried that PR. that didnt work either.
no good answers here. so the warning on openshfit will stay for now.