Changes on Flux v0.26.0

[pjbgf]

We are rolling out a few security related changes in flux2 that may impact flux2-openshift. Here's a summary of them:

• Enable Seccomp by default using new API (requires Kubernetes 1.19).
• Hard-code userId on container images and enable securityContext.runAsNonRoot.
• Drop all capabilities that are not being used.

I will link the PRs here to keep track of progress.

[chanwit]

Thank you so much, @pjbgf

[stefanprodan]

@chanwit any news on this, we got OpenShift users that are reporting that Flux 0.26 doesn't work due to the seccompProfile. Fails like this:

PodSecurityPolicy: unable to admit pod: [pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/manager]: Forbidden: seccomp may not be set]

[chanwit]

Still working on it. Best bet at the moment is either:

1. Use the privileged SCC, but it's going to allow us to set some privileged settings too,

or

2. Drop seccomp profile from the YAML.

[stefanprodan]

I guess the scope of this repo is to allow "one click" install for Flux on OpenShift, so I would drop everything that prevents that.

[chanwit]

BTW, the document updated last 2 weeks does not work for the user? https://fluxcd.io/docs/use-cases/openshift/#security-context-constraints

[chanwit]

I'll work with @pjbgf on Monday to check the details in each SCC per his request. Will get back to you with some solutions.

[chanwit]

Documented by: https://github.com/fluxcd/website/pull/786

[pjbgf]

I will close this issue based on the documentation updates. Thank you @chanwit for testing and updating the documentation.