search

kubev2v / forklift

Apache License 2.0
29 stars 28 forks source link

Conversion pod fails in restricted namespaces #173

Closed ahadas closed 1 year ago

ahadas commented 1 year ago

When migrating to a namespace that is labeled with pod-security.kubernetes.io/enforce=restricted, the migration fails because the conversion pod cannot start there with the following error: pods "..." is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "vddk-side-car", "virt-v2v" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "vddk-side-car", "virt-v2v" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "vddk-side-car", "virt-v2v" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "vddk-side-car", "virt-v2v" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") I'm going to drop that security label from namespaces that are created by our testing framework and this change would need to be reverted when fixing this issue

liranr23 commented 1 year ago

when having the namespace with the enforced and we do set the security context, fs - 107 (qemu) and seccomp it conflicts(after dropping the runAsUser): pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/populate]: Forbidden: seccomp may not be set,

provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{107}: 107 is not an allowed group,

The whole error: Failed to create populator pod: pods "populate-c188fda1-6c18-4afd-b4bd-53c86c025d0d" is forbidden: unable to validate against any security context constraint: [pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/populate]: Forbidden: seccomp may not be set, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{107}: 107 is not an allowed group, provider "restricted": Forbidden: not usable by user or serviceaccount, provider "containerized-data-importer": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "kubevirt-controller": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "bridge-marker": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "linux-bridge": Forbidden: not usable by user or serviceaccount, provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount, provider "kubevirt-handler": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

it will require further investigation.