-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OLM 4.11 release note: future PSA enforcement for SQLite catalogs #48575
OLM 4.11 release note: future PSA enforcement for SQLite catalogs #48575
Conversation
aefb46d
to
9f083a4
Compare
9f083a4
to
eadeeea
Compare
@jianzhangbjz or @Xia-Zhao-rh: Please review this PR. Thank you! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! I left a comment/suggestion below
e132224
to
47a8118
Compare
47a8118
to
a87196c
Compare
/lgtm |
@bandrade, can you take a look? |
/lgtm |
|
||
Operator catalogs built using both the deprecated SQLite database format and versions of the `opm` binary released before {product-title} 4.11 are not compatible with restricted namespace enforcement. | ||
|
||
To ensure compatibility with restricted namespace enforcement, maintainers of SQLite-based Operator catalogs can either migrate to the file-based catalog format or rebuild their catalogs using the `opm` binary released with {product-title} 4.11 or later. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does File-based Catalog Source compatible with restricted namespace? I guess no.
I deploy a file-based catalog source in a restricted namespace, and still get the PSA issue:
/api/v1/namespaces/test/pods would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "registry-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "registry-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "registry-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "registry-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
/apis/batch/v1/namespaces/test/jobs would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (containers "util", "pull", "extract" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "util", "pull", "extract" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "util", "pull", "extract" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "util", "pull", "extract" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
And, I think the PSA issue nothing with the SQL-based or File-based, it's related to the Job pods: "registry-server", "util", "pull", "extract".
The File-based catalog source and restricted namespace.
mac:~ jianzhang$ oc get catalogsource test-operators -o yaml
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
creationTimestamp: "2022-08-01T02:34:22Z"
generation: 1
name: test-operators
namespace: test
resourceVersion: "88593"
uid: fca4ab69-6cf4-4fbd-8318-182c72cdf297
spec:
displayName: Jian Operators
image: registry.redhat.io/redhat/redhat-operator-index:v4.11
priority: -100
publisher: Jian
sourceType: grpc
updateStrategy:
registryPoll:
interval: 10m0s
status:
connectionState:
address: test-operators.test.svc:50051
lastConnect: "2022-08-01T02:38:47Z"
lastObservedState: READY
registryService:
createdAt: "2022-08-01T02:34:22Z"
port: "50051"
protocol: grpc
serviceName: test-operators
serviceNamespace: test
mac:~ jianzhang$ oc get ns test -o yaml
apiVersion: v1
kind: Namespace
metadata:
annotations:
openshift.io/description: ""
openshift.io/display-name: ""
openshift.io/requester: system:admin
openshift.io/sa.scc.mcs: s0:c26,c15
openshift.io/sa.scc.supplemental-groups: 1000680000/10000
openshift.io/sa.scc.uid-range: 1000680000/10000
creationTimestamp: "2022-08-01T02:32:18Z"
labels:
kubernetes.io/metadata.name: test
olm.operatorgroup.uid/19192516-a967-48f5-a882-effe2a1e8fbb: ""
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/audit-version: v1.24
pod-security.kubernetes.io/warn: privileged
pod-security.kubernetes.io/warn-version: v1.24
name: test
resourceVersion: "89724"
uid: e9483d83-a011-4291-99ab-67c06345e3b2
spec:
finalizers:
- kubernetes
status:
phase: Active
[id="ocp-4-11-olm-psa-opm-sqlite"] | ||
==== Future pod security admission compatibility for SQLite-based Operator catalogs | ||
|
||
The `restricted` pod security admission profile will be enabled for all namespaces in a future release of {product-title}. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It has been already enabled for 4.11 as default.
…lease-note-introduced-in-pr-48575 OSDOCS-3774 Removes the release note introduced in #48575
Version(s): 4.11
Issue: OSDOCS-3774
Link to docs preview (requires VPN):
Future PSA enforcement for SQLite-based Operator catalogs
Additional information:
This extends the closed PR #48318.
The work here and in OSDOCS-3774 began as a known issue for 4.11. Upon further investigation, the pod security admission policy changes will affect catalog maintainers in a future OCP release, currently planned as 4.12.
cc: @dmesser @perdasilva @kevinrizza @kalexand-rh and @sjstout for visability.