Open fjammes opened 1 year ago
Hi, I know it might not be the best solution since it involves updating policies and relaxing them. However, one way to solve it is to configure your namespace to allow installation with the current implementation. If you inspect the namespace where your argocd-catalog pod is running, you'll see the following annotations.
apiVersion: v1
kind: Namespace
metadata:
...
labels:
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/audit-version: latest
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: latest
name: olm
To workaround the error seen before, we need to relax a bit the enforced policy, and set it to baseline
. It should end up as follows:
pod-security.kubernetes.io/enforce: baseline
That will allow the catalog-source-operator to create the needed pods for the catalog sources.
Again, this is only a workaround, and will only be viable if this complies with your security policies.
Big thanks to @LaloLoop for sharing this awesome hack that's doing the trick. Still, thinking long-term and wanting a sturdy fix, I'm leaning towards getting the ArgoCD installation procedure in sync with OLM's default security level. Would it be possible to find out if there's a go-to person on the ArgoCD team responsible for this development?
I found the very same issue with operator v0.8.0
, are you going to adress this issue in the future?
Hi @fjammes, thanks for reporting the issue. I will take a look at it.
Looks like this will be addressed by #1493.
Describe the bug
Installing ArgoCD using this documentation https://argocd-operator.readthedocs.io/en/latest/install/olm/ lead to error below:
To Reproduce Steps to reproduce the behavior:
Expected behavior A clear and concise description of what you expected to happen.
The pod
argocd-catalog-zkdkw
should be created with a restricted PodSecurity in order to be compliant with theolm
namespace PodSecurity level.Additional context