[BUG] PodSecurity causes depoyment failure

[peterw-ibm]

What happened?

oc create deployment nginx --image=nginxinc/nginx-unprivileged:stable-alpine

results in (see: oc get events):

3m59s Warning FailedCreate replicaset/nginx-7465574dbf Error creating: pods "nginx-7465574dbf-p56fr" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx-unprivileged" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx-unprivileged" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx-unprivileged" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx-unprivileged" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

What did you expect to happen?

no error

How to reproduce it (as minimally and precisely as possible)?

1. oc create deployment nginx --image=nginxinc/nginx-unprivileged:stable-alpine
2. oc get events

Anything else we need to know?

This seems to be a known bug with OpenShift, see

https://access.redhat.com/solutions/6976583
https://access.redhat.com/solutions/6983715

Environment

• MicroShift version (use microshift version):
  MicroShift Version: 4.12.0-0.microshift-2022-11-17-084702-untagged
  Base OCP Version: 4.12.0-0.nightly-2022-11-07-181244

• Hardware configuration:
  X86, 2CPU, 4GB, 200GB disk

• OS (e.g: cat /etc/os-release):
  NAME="Red Hat Enterprise Linux"
  VERSION="8.7 (Ootpa)"
  ID="rhel"
  ID_LIKE="fedora"
  VERSION_ID="8.7"
  PLATFORM_ID="platform:el8"
  PRETTY_NAME="Red Hat Enterprise Linux 8.7 (Ootpa)"
  ANSI_COLOR="0;31"
  CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
  HOME_URL="https://www.redhat.com/"
  DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/"
  BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.7
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.7"

• Kernel (e.g. uname -a):
  Linux flail1.fyre.ibm.com 4.18.0-372.32.1.el8_6.x86_64 Init #1 SMP Fri Oct 7 12:35:10 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux

• Others:

Relevant logs

[ggiguash]

@peterw-ibm, thank you for reporting this.

As mentioned in the 6976583 and 6983715 solution articles, this is a known issue with OpenShift using Kubernetes v1.25. MicroShift will benefit from the fix in the OpenShift code when it is released.

/close

[openshift-ci]

@ggiguash: Closing this issue.

Details

In response to this:

@peterw-ibm, thank you for reporting this.

As mentioned in the 6976583 and 6983715 solution articles, this is a known issue with OpenShift using Kubernetes v1.25. MicroShift will benefit from the fix in the OpenShift code when it is released.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.