search

redhat-openshift-ecosystem / openshift-preflight

Operator and container preflight certification tests
Apache License 2.0
58 stars 66 forks source link

Update `CatalogSource` Logic to Support OCP 4.16 `PodSecurity` #1169

Closed acornett21 closed 4 weeks ago

acornett21 commented 1 month ago

Is your feature request related to a problem? Please describe.

In OCP 4.16 PodSecurity is restricted, so preflight fails to create a CatalogSource successfully.

Describe the solution you'd like.

preflight should take into consideration the version of OCP under test when creating the CatalogSource, if the version is OCP 4.16 or greater the below can be added to the CatalogSource struct that is created in the code here.

Code Snippet:

GrpcPodConfig: &operatorsv1alpha1.GrpcPodConfig{
                SecurityContextConfig: operatorsv1alpha1.Restricted,
},

Describe alternatives you've considered.

Optionally we might want to change how we create the namespace to change the labels for pod security, though I'm not sure the ease of that. But this might be better in case an operator author has an incorrect config in their CSV. Alternatively, we might want to catch this in preflight, before it ends up in a real catalog and affects users/customers.

We had a POC of this approach awhile back that is linked here

Additional context.

Both options seam possible, but I'm leaning towards updating the CatalogSource, but it's totally open for discussion.

Error Observed on an OCP 4.16 cluster

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  creationTimestamp: "2024-05-23T19:42:51Z"
  generation: 1
  name: simple-demo-operator
  namespace: simple-demo-operator
  resourceVersion: "35590"
  uid: 24f962cf-16bb-4c0d-b019-0e801e5d839d
spec:
  displayName: simple-demo-operator
  icon:
    base64data: ""
    mediatype: ""
  image: quay.io/opdev/simple-demo-operator-catalog:latest
  secrets:
  - registry-auth-keys
  sourceType: grpc
status:
  message: 'couldn''t ensure registry server - error ensuring pod: : error creating
    new pod: simple-demo-operator-: pods "simple-demo-operator-fdr6g" is forbidden:
    violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container
    "registry-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted
    capabilities (container "registry-server" must set securityContext.capabilities.drop=["ALL"]),
    runAsNonRoot != true (pod or container "registry-server" must set securityContext.runAsNonRoot=true),
    seccompProfile (pod or container "registry-server" must set securityContext.seccompProfile.type
    to "RuntimeDefault" or "Localhost")'
  reason: RegistryServerError

With the above code added:

{
  "apiVersion": "operators.coreos.com/v1alpha1",
  "kind": "CatalogSource",
  "metadata": {
    "creationTimestamp": "2024-05-23T20:24:38Z",
    "generation": 1,
    "managedFields": [
      {
        "apiVersion": "operators.coreos.com/v1alpha1",
        "fieldsType": "FieldsV1",
        "fieldsV1": {
          "f:spec": {
            ".": {},
            "f:displayName": {},
            "f:grpcPodConfig": {
              ".": {},
              "f:securityContextConfig": {}
            },
            "f:icon": {
              ".": {},
              "f:base64data": {},
              "f:mediatype": {}
            },
            "f:image": {},
            "f:secrets": {},
            "f:sourceType": {}
          }
        },
        "manager": "___8preflight_check_operator_simple_demo_operator",
        "operation": "Update",
        "time": "2024-05-23T20:24:38Z"
      },
      {
        "apiVersion": "operators.coreos.com/v1alpha1",
        "fieldsType": "FieldsV1",
        "fieldsV1": {
          "f:status": {
            ".": {},
            "f:connectionState": {
              ".": {},
              "f:address": {},
              "f:lastConnect": {},
              "f:lastObservedState": {}
            },
            "f:registryService": {
              ".": {},
              "f:createdAt": {},
              "f:port": {},
              "f:protocol": {},
              "f:serviceName": {},
              "f:serviceNamespace": {}
            }
          }
        },
        "manager": "catalog",
        "operation": "Update",
        "subresource": "status",
        "time": "2024-05-23T20:25:00Z"
      }
    ],
    "name": "simple-demo-operator",
    "namespace": "simple-demo-operator",
    "resourceVersion": "47321",
    "uid": "3af03040-3eb0-4372-8983-4bc6a0690b8e"
  },
  "spec": {
    "displayName": "simple-demo-operator",
    "grpcPodConfig": {
      **"securityContextConfig": "restricted"**
    },
    "icon": {
      "base64data": "",
      "mediatype": ""
    },
    "image": "quay.io/opdev/simple-demo-operator-catalog:v0.0.7",
    "secrets": [
      "registry-auth-keys"
    ],
    "sourceType": "grpc"
  },
  "status": {
    "connectionState": {
      "address": "simple-demo-operator.simple-demo-operator.svc:50051",
      "lastConnect": "2024-05-23T20:25:00Z",
      "lastObservedState": "READY"
    },
    "registryService": {
      "createdAt": "2024-05-23T20:24:38Z",
      "port": "50051",
      "protocol": "grpc",
      "serviceName": "simple-demo-operator",
      "serviceNamespace": "simple-demo-operator"
    }
  }
}

We also need to update simple-demo-operator to support OCP 4.16 and cut a new release of that change as well. This is needed to support E2E testing within our CI process.

acornett21 commented 1 month ago