Bug Report
What did you do?
Ran operator-sdk run bundle with --security-context-config=restricted to deploy a bundle on a cluster with PodSecurity set to restricted.
operator-sdk run bundle ttl.sh/oadp-operator-bundle-f509f50a:1h --security-context-config=restricted
What did you expect to see?
The registry pod should be created successfully with proper security context settings on all containers.
What did you see instead?
INFO[0012] Creating a File-Based Catalog of the bundle "ttl.sh/oadp-operator-bundle-f509f50a:1h"
INFO[0014] Generated a valid File-Based Catalog
FATA[0015] Failed to run bundle: create catalog: error creating registry pod: error creating pod: pods "ttl-sh-oadp-operator-bundle-f509f50a-1h" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "registry-grpc-init" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "registry-grpc-init" must set securityContext.capabilities.drop=["ALL"])
Root Cause
In internal/olm/operator/registry/fbcindex/fbc_registry_pod.go, when SecurityContext == "restricted", the security context is only applied to:
- Pod level (
f.pod.Spec.SecurityContext)
- Main container (
f.pod.Spec.Containers[0].SecurityContext)
The init container registry-grpc-init (added via addGZIPInitContainer()) is never given a SecurityContext.
https://github.com/operator-framework/operator-sdk/blob/f6829d45dce8f41f39b76b7cac2040bf23b4f81e/internal/olm/operator/registry/fbcindex/fbc_registry_pod.go#L143-L160
Proposed Fix
After setting the security context on the main container, also apply it to all init containers:
// Update all init containers with the same restrictive security context
for i := range f.pod.Spec.InitContainers {
f.pod.Spec.InitContainers[i].SecurityContext = restrictedSecurityContext
}Environment
- operator-sdk version: v1.38.0 / master
- Kubernetes cluster with PodSecurity
restricted:latest
Related Issues
This is a continuation of #6430, which was auto-closed due to inactivity but the bug was never fixed. That issue covered multiple security context problems; this issue is specifically scoped to the init container (registry-grpc-init) missing security context settings.
Bug Report
What did you do?
Ran
operator-sdk run bundlewith--security-context-config=restrictedto deploy a bundle on a cluster with PodSecurity set torestricted.What did you expect to see?
The registry pod should be created successfully with proper security context settings on all containers.
What did you see instead?
Root Cause
In
internal/olm/operator/registry/fbcindex/fbc_registry_pod.go, whenSecurityContext == "restricted", the security context is only applied to:f.pod.Spec.SecurityContext)f.pod.Spec.Containers[0].SecurityContext)The init container
registry-grpc-init(added viaaddGZIPInitContainer()) is never given a SecurityContext.https://github.com/operator-framework/operator-sdk/blob/f6829d45dce8f41f39b76b7cac2040bf23b4f81e/internal/olm/operator/registry/fbcindex/fbc_registry_pod.go#L143-L160
Proposed Fix
After setting the security context on the main container, also apply it to all init containers:
Environment
restricted:latestRelated Issues
This is a continuation of #6430, which was auto-closed due to inactivity but the bug was never fixed. That issue covered multiple security context problems; this issue is specifically scoped to the init container (
registry-grpc-init) missing security context settings.