Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-4354

Default to setting security context to match enforced restricted pod security admission (OCP 4.16)

XMLWordPrintable

    • False
    • None
    • False

      Description of problem:

      https://issues.redhat.com/browse/OCPSTRAT-487 (seems to be delayed to OCP 4.16)

      With OpenShift 4.15, we intend to move the global configuration to enforce the "restricted" pod security profile globally. With this change, the label synchronization mechanism will also switch into a mode where it synchronizes the "enforce" Pod Security Admission label rather than the "audit" and "warn".

      On OCP 4.16, this change will result in openshift-pipelines failing to start pipeline run pods and the tekton eventlistener (among others, probably) with the current default settings.

      Event listener deployment failing to create replicas:

      - lastTransitionTime: "2024-03-25T09:01:01Z"
      message: 'pods "el-cad-event-listener-6556ff4b48-sl48m" is forbidden: violates
        PodSecurity "restricted:latest": unrestricted capabilities (container "event-listener"
        must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true
        (pod or container "event-listener" must set securityContext.runAsNonRoot=true),
        seccompProfile (pod or container "event-listener" must set securityContext.seccompProfile.type
        to "RuntimeDefault" or "Localhost")'
      reason: FailedCreate
      status: "True"
      type: ReplicaFailure

      Needed fixed default: for the pod(s) to start, we need to:

      • set set-security-context in the tektonconfig to true, this will allow pipeline run pods to start
      • for EventListener, set the following in the tektonconfig:
          options:
      deployments:
        tekton-triggers-controller:
          spec:
            template:
              spec:
                containers:
                - name: tekton-triggers-controller
                  args:
                  - -el-security-context=true

      Prerequisites (if any, like setup, operators/versions):

      Steps to Reproduce

      Install openshift-pipelines v1.14 on a cluster with enforced "restricted" pod security profile globally (4.16 should have this). 

      Actual results:

      Pods for  EventListener and pipeline runs fail to start. 

      Expected results:

      Default settings of openshift-pipelines match platform requirements for OCP 4.16: pods can start without tweaking the configuration as they run with restricted security context.

      Reproducibility (Always/Intermittent/Only Once):

      Always

      Acceptance criteria: 

       

      Definition of Done:

      Build Details:

      Additional info (Such as Logs, Screenshots, etc):

       

       *

            Unassigned Unassigned
            cbusse.openshift Claudio Busse
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: