Closed ahadas closed 1 year ago
when having the namespace with the enforced and we do set the security context, fs - 107 (qemu) and seccomp it conflicts(after dropping the runAsUser
):
pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/populate]: Forbidden: seccomp may not be set,
provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{107}: 107 is not an allowed group,
The whole error:
Failed to create populator pod: pods "populate-c188fda1-6c18-4afd-b4bd-53c86c025d0d" is forbidden: unable to validate against any security context constraint: [pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/populate]: Forbidden: seccomp may not be set, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{107}: 107 is not an allowed group, provider "restricted": Forbidden: not usable by user or serviceaccount, provider "containerized-data-importer": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "kubevirt-controller": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "bridge-marker": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "linux-bridge": Forbidden: not usable by user or serviceaccount, provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount, provider "kubevirt-handler": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
it will require further investigation.
When migrating to a namespace that is labeled with
pod-security.kubernetes.io/enforce=restricted
, the migration fails because the conversion pod cannot start there with the following error:pods "..." is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "vddk-side-car", "virt-v2v" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "vddk-side-car", "virt-v2v" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "vddk-side-car", "virt-v2v" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "vddk-side-car", "virt-v2v" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
I'm going to drop that security label from namespaces that are created by our testing framework and this change would need to be reverted when fixing this issue