Closed a-thorat closed 9 months ago
openshift-bot
commented
11 months ago Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle stale
openshift-bot
commented
10 months ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle rotten /remove-lifecycle stale
openshift-bot
commented
9 months ago Rotten issues close after 30d of inactivity.
Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.
/close
openshift-ci[bot]
commented
9 months ago @openshift-bot: Closing this issue.
Is your feature request related to a problem? Please describe. Have installed Gatekeeper constraints on OpenShift v4.13. Trying to install Grafana Operator v4.10.1, but failing to comply admission policy during installation.
(If applicable)If your feature request solves a bug please provide a link to the community issue Tried to look into the issue but cant find.
Describe the solution you'd like By default Operator should adhere best security admission control policy
Describe alternatives you've considered it does work Out of Box SCC in OpenShift platform
Additional context failing Policies FailedCreate replicaset/grafana-operator-controller-manager-7bc44bcd94 Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [read-only-root-filesystem] only read-only root filesystem container is allowed: kube-rbac-proxy... FailedCreate replicaset/grafana-operator-controller-manager-7bc44bcd94 Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [container-must-have-limits] container has no resource limits... Warning FailedCreate replicaset/grafana-operator-controller-manager-7bc44bcd94 Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [read-only-root-filesystem] only read-only root filesystem container is allowed: kube-rbac-proxy... FailedCreate replicaset/grafana-operator-controller-manager-7bc44bcd94 Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [container-must-have-requests] container has no resource requests... FailedCreate replicaset/grafana-operator-controller-manager-7bc44bcd94 Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [allowed-user-ranges] Container kube-rbac-proxy is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {"ranges": [{"max": 1009000000, "min": 1000000000}], "rule": "MustRunAs"}...
➜ ~ oc get constraints -o custom-columns="Name:.metadata.name" Name capabilities volume-types privileged-containers allow-privilege-escalation-container allowed-user-ranges trusted-repos assetuuid container-must-have-limits host-network-ports host-filesystem psp-automount-serviceaccount-token-pod container-must-have-requests read-only-root-filesystem allow-default-namespace-workloads psp-seccomp host-namespaces sysctls-forbidden
Following this page to create constraints
Existing solutions We can add image or namespace in exemption list and make it work