-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issues launching debug daemonset in OCP 4.12 related to security constraints #547
Comments
@ramperher If I push up a branch, can you point to it and test? |
Sure, I can give a try in an OCP 4.12 cluster :) I'll take a look! |
@sebrandon1 , as discussed in #548, I think we don't need to change anything in the debug daemonset specification, after testing in OCP 4.12. It's just a matter of adding these two labels to default namespace (where debug daemonset is deployed):
However, as discussed in the PR, I feel that, maybe, it is too extreme to set such privileges in default namespace, which can be used by other workloads, utilities, etc. Having said that, would it be a problem if debug daemonset is deployed in a specific namespace rather than in default namespace? Just to isolate the permissions we give to specific namespaces. Then, second question I have: can it be included, in the README, this particularity about labelling the namespace where debug daemonset is deployed when working in OCP 4.12? Or should we wait until OCP 4.12 is finally released? |
I believe this change covers the security policies needed for the daemonset: We can close this until we it any more (if any) problems. |
Today, we have launched the first OCP 4.12 daily job and we have tested some workloads on top of it, including the workloads we use ot test CNF Cert Suite. You can see that job here.
Digging into the tnf results, we observed that there were a lot of unexpected results (some tests failed or were skipped and they should have passed), all of them caused by debug daemonset wrong behavior.
Taking a look into the events that happened in the cluster (it can be seen here, in events.txt file), we can see these issues related to the debug daemonset:
My impression is that it is hitting some security issues caused by OCP 4.12. In theory, there are several changes in terms of security policies in OCP 4.12 (e.g. https://connect.redhat.com/en/blog/important-openshift-changes-pod-security-standards), and I suppose the debug daemonset specification should be reviewed to deal with them.
The text was updated successfully, but these errors were encountered: