You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Background:
Upon installing the CatalogSource and Subscription to deploy the Observability Operator, two deployments are created in the openshift-operators namespace: observability-operator, and observability-operator-prometheus-operator.
Problem:
These deployments define SecurityContext that is blocked by the OpenShift Admission Controller(s).
output
message: 'pods "observability-operator-prometheus-operator-75df4c6c7-9rql8" is
forbidden: unable to validate against any security context constraint: [pod.metadata.annotations.seccomp.security.alpha.kubernetes.io/pod:
Forbidden: seccomp may not be set pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/prometheus-operator:
Forbidden: seccomp may not be set provider "anyuid": Forbidden: not usable by
user or serviceaccount pod.metadata.annotations.seccomp.security.alpha.kubernetes.io/pod:
Forbidden: seccomp may not be set spec.containers[0].securityContext.runAsUser:
Invalid value: 65534: must be in the ranges: [1000400000, 1000409999] pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/prometheus-operator:
Forbidden: seccomp may not be set provider "hostmount-anyuid": Forbidden: not
usable by user or serviceaccount provider "machine-api-termination-handler":
Forbidden: not usable by user or serviceaccount provider "hostnetwork": Forbidden:
not usable by user or serviceaccount provider "hostaccess": Forbidden: not usable
by user or serviceaccount provider "node-exporter": Forbidden: not usable by
user or serviceaccount provider "privileged": Forbidden: not usable by user
or serviceaccount]'
We feel strongly that anyuid should not be overwritten, as we will be running this on OSD clusters. This exposes us somewhat** and the premise of running on OCP, and especially OSD is the security aspect.
We were using anyuid as a temporary solution but it has security ramifications, and it does not work anymore.
What are the recommendations for this? Thanks
The text was updated successfully, but these errors were encountered:
Background:
Upon installing the
CatalogSourceandSubscriptionto deploy the Observability Operator, two deployments are created in theopenshift-operatorsnamespace: observability-operator, and observability-operator-prometheus-operator.Problem:
These deployments define
SecurityContextthat is blocked by the OpenShift Admission Controller(s).output
We feel strongly that
anyuidshould not be overwritten, as we will be running this on OSD clusters. This exposes us somewhat** and the premise of running on OCP, and especially OSD is the security aspect.We were using
anyuidas a temporary solution but it has security ramifications, and it does not work anymore.What are the recommendations for this? Thanks
The text was updated successfully, but these errors were encountered: