sample-apps: handle restricted podsecurityadmission default in 4-dev-preview/4.20 #1555

kaovilai · 2024-10-11T17:27:54Z

Is your feature request related to a problem? Please describe.

PodSecurityAdmission feature gate is enabled [in 4.18] (preview only, slated to be disabled by GA)(https://github.com/openshift/api/blob/a1523024209f3122be9e9d53515da470c6a2458b/features/features.go#L67-L72) (disabled in 4.17), will enforce restricted PodSecurityAdmission by default

which will cause errors like

deployment not available with condition: pods "mongo-5f78d6fd49-74k4r" is forbidden: violates PodSecurity "restricted:latest": privileged (container "mongo" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "mongo", "curl-tool" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "mongo", "curl-tool" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "mongo", "curl-tool" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "mongo", "curl-tool" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

as seen in our 4.18 dev-preview test and found to be possibly targeted for 4.19 release

This feature gate were documented as early as 4.12 it seems, but never enabled by default.

slack

https://issues.redhat.com/browse/OCPSTRAT-487
https://issues.redhat.com/browse/AUTH-262
https://issues.redhat.com/browse/OSDOCS-5004

Part of OADP epic https://issues.redhat.com/browse/OADP-5031
Describe the solution you'd like

Describe alternatives you've considered

Additional context

The text was updated successfully, but these errors were encountered:

openshift-bot · 2025-02-17T01:00:27Z

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot · 2025-03-19T08:31:08Z

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

kaovilai · 2025-03-19T14:29:21Z

/lifecycle frozen

kaovilai added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 11, 2024

kaovilai changed the title ~~sample-apps: handle restricted podadmissionpolicy default in 4.18~~ sample-apps: handle restricted podsecurityadmission default in 4.18 Oct 11, 2024

kaovilai changed the title ~~sample-apps: handle restricted podsecurityadmission default in 4.18~~ sample-apps: handle restricted podsecurityadmission default in 4-dev-preview/4.19 Oct 14, 2024

This was referenced Oct 22, 2024

CI: Enable upstream virtualization operator E2E tests. #1556

Merged

OADP 4.18-dev-preview disables OpenShiftPodSecurityAdmission featuregate openshift/release#58200

Merged

openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 17, 2025

openshift-ci bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Mar 19, 2025

kaovilai changed the title ~~sample-apps: handle restricted podsecurityadmission default in 4-dev-preview/4.19~~ sample-apps: handle restricted podsecurityadmission default in 4-dev-preview/4.20 Mar 19, 2025

openshift-ci bot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. labels Mar 19, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

sample-apps: handle restricted podsecurityadmission default in 4-dev-preview/4.20 #1555

sample-apps: handle restricted podsecurityadmission default in 4-dev-preview/4.20 #1555

kaovilai commented Oct 11, 2024 •

edited

Loading

openshift-bot commented Feb 17, 2025

openshift-bot commented Mar 19, 2025

kaovilai commented Mar 19, 2025

sample-apps: handle restricted podsecurityadmission default in 4-dev-preview/4.20 #1555

sample-apps: handle restricted podsecurityadmission default in 4-dev-preview/4.20 #1555

Comments

kaovilai commented Oct 11, 2024 • edited Loading

openshift-bot commented Feb 17, 2025

openshift-bot commented Mar 19, 2025

kaovilai commented Mar 19, 2025

kaovilai commented Oct 11, 2024 •

edited

Loading