seccomp causing trouble

[davidkarlsen]

after upgrade to [*], I see:

[*]

flux: v0.27.0
helm-controller: v0.17.0
image-automation-controller: v0.20.0
image-reflector-controller: v0.16.0
kustomize-controller: v0.21.0
notification-controller: v0.22.0
source-controller: v0.21.2

k describe rs source-controller-69bfb4649c|tail -2
  Warning  FailedCreate  8m32s                 replicaset-controller  Error creating: pods "source-controller-69bfb4649c-v5jzg" is forbidden: unable to validate against any security context constraint: [pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/manager: Forbidden: seccomp may not be set provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1337}: 1337 is not an allowed group pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/manager: Forbidden: seccomp may not be set provider "nonroot": Forbidden: not usable by user or serviceaccount provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount provider "log-collector-scc": Forbidden: not usable by user or serviceaccount provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount provider "hostnetwork": Forbidden: not usable by user or serviceaccount provider "hostaccess": Forbidden: not usable by user or serviceaccount provider "node-exporter": Forbidden: not usable by user or serviceaccount provider "privileged": Forbidden: not usable by user or serviceaccount]
  Warning  FailedCreate  3m5s (x9 over 8m30s)  replicaset-controller  (combined from similar events): Error creating: pods "source-controller-69bfb4649c-8kz6r" is forbidden: unable to validate against any security context constraint: [pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/manager: Forbidden: seccomp may not be set provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1337}: 1337 is not an allowed group pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/manager: Forbidden: seccomp may not be set provider "nonroot": Forbidden: not usable by user or serviceaccount provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount provider "log-collector-scc": Forbidden: not usable by user or serviceaccount provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount provider "hostnetwork": Forbidden: not usable by user or serviceaccount provider "hostaccess": Forbidden: not usable by user or serviceaccount provider "node-exporter": Forbidden: not usable by user or serviceaccount provider "privileged": Forbidden: not usable by user or serviceaccount]

If I drop the seccomp profile it will schedule just fine.

openshift 4.9.x

Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.3", GitCommit:"816c97ab8cff8a1c72eccca1026f7820e93e0d25", GitTreeState:"clean", BuildDate:"2022-01-25T21:17:57Z", GoVersion:"go1.17.6", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.3+e790d7f", GitCommit:"3a0f2c90b43e6cffd07f57b5b78dd9f083e47ee2", GitTreeState:"clean", BuildDate:"2021-12-14T02:10:38Z", GoVersion:"go1.16.6", Compiler:"gc", Platform:"linux/amd64"}

[stefanprodan]

Have you seen https://fluxcd.io/docs/use-cases/openshift/#security-context-constraints?

[chuegel]

This happens with rke2 deployed clusters as well. See: rancher/rke2#2156

Fixed in version v1.23.4+rke2r1

[pjbgf]

Relates to upstream OpenShift issue: openshift/cluster-kube-apiserver-operator#1325

[sastorsl]

I think this can be closed by patching Kustomize as documented in fluxcd/website/pull/786