search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.77k stars 2.68k forks source link

Ensure the kubernetes / openshift extension work with Microshift. #32391

Open iocanel opened 1 year ago

iocanel commented 1 year ago

Description

It seems that we deploying to microshift there are some additonal requirements related to the securityContext. We need to make sure that these can be easily supported it, so that we can provide a better out of the box experience for it.

Example:

$ kubectl apply -f my_generated_deployment.yml
Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "camel-quarkus-iot-jvm" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "camel-quarkus-iot-jvm" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "camel-quarkus-iot-jvm" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "camel-quarkus-iot-jvm" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
deployment.apps/camel-quarkus-iot-jvm created
service/camel-quarkus-iot-jvm created
$ kubectl get events

73m         Warning   FailedCreate              replicaset/camel-quarkus-iot-jvm-6f777b994    Error creating: pods "camel-quarkus-iot-jvm-6f777b994-z25k9" is forbidden: viol
ates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "camel-quarkus-iot-jvm" must set securityContext.allowPrivilegeEscalation=false), unrestri
cted capabilities (container "camel-quarkus-iot-jvm" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "camel-quarkus-iot-jvm" must
 set securityContext.runAsNonRoot=true), seccompProfile (pod or container "camel-quarkus-iot-jvm" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localh
ost")

Implementation ideas

No response

quarkus-bot[bot] commented 1 year ago

/cc @Sgitario (kubernetes), @geoand (kubernetes,openshift)

jeffmaury commented 1 year ago

We have the same requirement in Podman Desktop so if we can guess the SCC that is applied we should be able to generate the missing data

praveenkumar commented 1 year ago

I think https://connect.redhat.com/en/blog/important-openshift-changes-pod-security-standards explains it bit more.

geoand commented 8 months ago

Has this been done?

iocanel commented 8 months ago

Has this been done?

No