Open github-actions[bot] opened 2 years ago
This issue has become stale because it has been open 60 days with no activity. The maintainers of this repo will remove this label during issue triage or it will be removed automatically after an update. Adding the lifecycle/frozen
label will cause this issue to ignore lifecycle events.
In our current implementation, we are creating a pod that uses the image
provided by an image source. This pod is not always guaranteed to run as a
non-root user and thus will fail to initialize if running as root in a PSA
restricted namespace due to violations. As it currently stands, our compliance
with PSA is baseline which allows for pods to run as root users. However,
all RukPak processes and resources, except this unpacker pod for image sources,
are runnable in a PSA restricted environment. We should consider ways to make
this PSA definition either configurable or workable in a restricted namespace.
See https://github.com/operator-framework/rukpak/pull/539 for more detail.
https://github.com/timflannagan/rukpak/blob/4f19948f042ef508eafddd921f9fc52715fd052d/internal/source/image.go#L208