operator-sdk run bundle with security-context-config restricted fails to spawn registry pod due to runAsNonRoot #6430
Description
Bug Report
What did you do?
Ran the following to deploy my ansible(but it does not matter) based operator into my k8s cluster:
$ operator-sdk run bundle --security-context-config restricted kuberegistry.blub.tld/test/ansible-operator-dev/test1-bundle:v0.0.1
What did you expect to see?
What did you see instead? Under which circumstances?
The deployment fails directly with the following
INFO[0009] Creating a File-Based Catalog of the bundle "kuberegistry.blub.tld/test/ansible-operator-dev/test1-bundle:v0.0.1"
INFO[0010] Generated a valid File-Based Catalog
FATA[0010] Failed to run bundle: create catalog: error creating registry pod: error creating pod: pods "y-blub-tld-test-ansible-operator-dev-test1-bundle-v0-0-1" is forbidden: violates PodSecurity "restricted:latest": runAsNonRoot != true (pod or container "registry-grpc" must set securityContext.runAsNonRoot=true)
Environment
Operator type:
N/A
Kubernetes cluster type:
Talos Linux 1.3.x with K8s 1.26.3 and PodSecurity set to restricted.
$ operator-sdk version
operator-sdk version: "v1.28.0", commit: "484013d1865c35df2bc5dfea0ab6ea6b434adefa", kubernetes version: "1.26.0", go version: "go1.19.6", GOOS: "linux", GOARCH: "amd64"
$ kubectl version
$ kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short. Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.3", GitCommit:"9e644106593f3f4aa98f8a84b23db5fa378900bd", GitTreeState:"clean", BuildDate:"2023-03-15T13:40:17Z", GoVersion:"go1.19.7", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.3", GitCommit:"9e644106593f3f4aa98f8a84b23db5fa378900bd", GitTreeState:"clean", BuildDate:"2023-03-15T13:33:12Z", GoVersion:"go1.19.7", Compiler:"gc", Platform:"linux/amd64"}
Possible Solution
As per the comment starting in line 244 the reasoning for not applying the runAsNonRoot container security context is that previous OpenShift and K8s versions did not support all needed options. We could probably by now assume that we don't need to support 1.19.x or possible even the older OpenShift versions anymore.
Possible we could add detection modi for OpenShift/Legacy K8s or enhance the switch to allow the user to choose the right security level.
Additional context
Together with @everettraven on Slack(https://kubernetes.slack.com/archives/C0181L6JYQ2/p1683845500758729) we identified the following points:
- https://github.com/operator-framework/operator-sdk/blob/v1.28.0/internal/olm/operator/registry/index/registry_pod.go#L144
- https://github.com/operator-framework/operator-sdk/blob/v1.28.0/internal/olm/operator/registry/index/registry_pod.go#L244
Temporary Workaround via Kyverno Policy
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: operator-sdk-patch-registry-grpc
spec:
rules:
- name: operator-sdk-patch-registry-grpc
match:
any:
- resources:
kinds:
- Pod
namespaces:
- "*"
names:
- "*bundle*"
mutate:
patchStrategicMerge:
spec:
containers:
# match images which end with :latest
- (name): "registry-grpc"
# set the imagePullPolicy to "IfNotPresent"
securityContext:
runAsNonRoot: true