OLM 4.11 release note: future PSA enforcement for SQLite catalogs #48575
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci
bot
added
the
size/S
michaelryanpeter
force-pushed
the
olm-4.11-RN-opm-sqlite-catalogs-restricted-psas
branch
3 times, most recently
from
aefb46d
to
9f083a4
Compare
michaelryanpeter
added
peer-review-needed
openshift-ci
bot
added
the
size/S
michaelryanpeter
force-pushed
the
olm-4.11-RN-opm-sqlite-catalogs-restricted-psas
branch
from
9f083a4
to
eadeeea
Compare
|
@jianzhangbjz or @Xia-Zhao-rh: Please review this PR. Thank you! |
jldohmann
approved these changes
Jul 29, 2022
michaelryanpeter
added
peer-review-done
michaelryanpeter
force-pushed
the
olm-4.11-RN-opm-sqlite-catalogs-restricted-psas
branch
2 times, most recently
from
e132224
to
47a8118
Compare
michaelryanpeter
force-pushed
the
olm-4.11-RN-opm-sqlite-catalogs-restricted-psas
branch
from
47a8118
to
a87196c
Compare
|
/lgtm |
|
@bandrade, can you take a look? |
|
/lgtm |
jianzhangbjz
reviewed
Aug 1, 2022
|
|
||
| Operator catalogs built using both the deprecated SQLite database format and versions of the `opm` binary released before {product-title} 4.11 are not compatible with restricted namespace enforcement. | ||
|
|
||
| To ensure compatibility with restricted namespace enforcement, maintainers of SQLite-based Operator catalogs can either migrate to the file-based catalog format or rebuild their catalogs using the `opm` binary released with {product-title} 4.11 or later. |
There was a problem hiding this comment.
Does File-based Catalog Source compatible with restricted namespace? I guess no.
I deploy a file-based catalog source in a restricted namespace, and still get the PSA issue:
/api/v1/namespaces/test/pods would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "registry-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "registry-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "registry-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "registry-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
/apis/batch/v1/namespaces/test/jobs would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (containers "util", "pull", "extract" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "util", "pull", "extract" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "util", "pull", "extract" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "util", "pull", "extract" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")And, I think the PSA issue nothing with the SQL-based or File-based, it's related to the Job pods: "registry-server", "util", "pull", "extract".
The File-based catalog source and restricted namespace.
mac:~ jianzhang$ oc get catalogsource test-operators -o yaml
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
creationTimestamp: "2022-08-01T02:34:22Z"
generation: 1
name: test-operators
namespace: test
resourceVersion: "88593"
uid: fca4ab69-6cf4-4fbd-8318-182c72cdf297
spec:
displayName: Jian Operators
image: registry.redhat.io/redhat/redhat-operator-index:v4.11
priority: -100
publisher: Jian
sourceType: grpc
updateStrategy:
registryPoll:
interval: 10m0s
status:
connectionState:
address: test-operators.test.svc:50051
lastConnect: "2022-08-01T02:38:47Z"
lastObservedState: READY
registryService:
createdAt: "2022-08-01T02:34:22Z"
port: "50051"
protocol: grpc
serviceName: test-operators
serviceNamespace: test
mac:~ jianzhang$ oc get ns test -o yaml
apiVersion: v1
kind: Namespace
metadata:
annotations:
openshift.io/description: ""
openshift.io/display-name: ""
openshift.io/requester: system:admin
openshift.io/sa.scc.mcs: s0:c26,c15
openshift.io/sa.scc.supplemental-groups: 1000680000/10000
openshift.io/sa.scc.uid-range: 1000680000/10000
creationTimestamp: "2022-08-01T02:32:18Z"
labels:
kubernetes.io/metadata.name: test
olm.operatorgroup.uid/19192516-a967-48f5-a882-effe2a1e8fbb: ""
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/audit-version: v1.24
pod-security.kubernetes.io/warn: privileged
pod-security.kubernetes.io/warn-version: v1.24
name: test
resourceVersion: "89724"
uid: e9483d83-a011-4291-99ab-67c06345e3b2
spec:
finalizers:
- kubernetes
status:
phase: Active
jianzhangbjz
reviewed
Aug 1, 2022
| [id="ocp-4-11-olm-psa-opm-sqlite"] | ||
| ==== Future pod security admission compatibility for SQLite-based Operator catalogs | ||
|
|
||
| The `restricted` pod security admission profile will be enabled for all namespaces in a future release of {product-title}. |
There was a problem hiding this comment.
It has been already enabled for 4.11 as default.
This was referenced Aug 4, 2022
michaelryanpeter
added a commit
to michaelryanpeter/openshift-docs
that referenced
this pull request
Aug 5, 2022
michaelryanpeter
added a commit
that referenced
this pull request
Aug 5, 2022
…lease-note-introduced-in-pr-48575 OSDOCS-3774 Removes the release note introduced in #48575
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Version(s): 4.11
Issue: OSDOCS-3774
Link to docs preview (requires VPN):
Future PSA enforcement for SQLite-based Operator catalogs
Additional information:
This extends the closed PR #48318.
The work here and in OSDOCS-3774 began as a known issue for 4.11. Upon further investigation, the pod security admission policy changes will affect catalog maintainers in a future OCP release, currently planned as 4.12.
cc: @dmesser @perdasilva @kevinrizza @kalexand-rh and @sjstout for visability.