Is your feature request related to a problem? Please describe.
In OCP 4.16 PodSecurity is restricted, so preflight fails to create a CatalogSource successfully.
Describe the solution you'd like.
preflight should take into consideration the version of OCP under test when creating the CatalogSource, if the version is OCP 4.16 or greater the below can be added to the CatalogSource struct that is created in the code here.
Optionally we might want to change how we create the namespace to change the labels for pod security, though I'm not sure the ease of that. But this might be better in case an operator author has an incorrect config in their CSV. Alternatively, we might want to catch this in preflight, before it ends up in a real catalog and affects users/customers.
We had a POC of this approach awhile back that is linked here
Additional context.
Both options seam possible, but I'm leaning towards updating the CatalogSource, but it's totally open for discussion.
Error Observed on an OCP 4.16 cluster
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
creationTimestamp: "2024-05-23T19:42:51Z"
generation: 1
name: simple-demo-operator
namespace: simple-demo-operator
resourceVersion: "35590"
uid: 24f962cf-16bb-4c0d-b019-0e801e5d839d
spec:
displayName: simple-demo-operator
icon:
base64data: ""
mediatype: ""
image: quay.io/opdev/simple-demo-operator-catalog:latest
secrets:
- registry-auth-keys
sourceType: grpc
status:
message: 'couldn''t ensure registry server - error ensuring pod: : error creating
new pod: simple-demo-operator-: pods "simple-demo-operator-fdr6g" is forbidden:
violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container
"registry-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted
capabilities (container "registry-server" must set securityContext.capabilities.drop=["ALL"]),
runAsNonRoot != true (pod or container "registry-server" must set securityContext.runAsNonRoot=true),
seccompProfile (pod or container "registry-server" must set securityContext.seccompProfile.type
to "RuntimeDefault" or "Localhost")'
reason: RegistryServerError
We also need to update simple-demo-operator to support OCP 4.16 and cut a new release of that change as well. This is needed to support E2E testing within our CI process.
Is your feature request related to a problem? Please describe.
In OCP 4.16
PodSecurity
isrestricted
, so preflight fails to create aCatalogSource
successfully.Describe the solution you'd like.
preflight should take into consideration the version of OCP under test when creating the
CatalogSource
, if the version is OCP 4.16 or greater the below can be added to theCatalogSource
struct that is created in the code here.Code Snippet:
Describe alternatives you've considered.
Optionally we might want to change how we create the namespace to change the labels for pod security, though I'm not sure the ease of that. But this might be better in case an operator author has an incorrect config in their CSV. Alternatively, we might want to catch this in preflight, before it ends up in a real catalog and affects users/customers.
We had a POC of this approach awhile back that is linked here
Additional context.
Both options seam possible, but I'm leaning towards updating the
CatalogSource
, but it's totally open for discussion.Error Observed on an OCP 4.16 cluster
With the above code added:
We also need to update
simple-demo-operator
to support OCP 4.16 and cut a new release of that change as well. This is needed to support E2E testing within our CI process.