IBMStockTrader/stocktrader-operator

PSP issues on newly-provisioned AWS EKS Clusters running 1.23+

Closed this issue · 3 comments

rtclauss commented

New EKS Clusters running version 1.23 and above are configured to use Pod Security Standards and Pod Security Admission by default. This means PodSecurityPolicies are no longer used as they are deprecated as of 1.21 and slated for removal in 1.25.

When you try to install the operator on a new 1.24 k8s cluster you get the following error when the cluster tries to start the registry server:

Message:  couldn't ensure registry server - error ensuring pod: : error creating new pod: stocktrader-: pods "stocktrader-7mbvc" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "registry-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "registry-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "registry-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "registry-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

  Reason:   RegistryServerError

At this point I don't know if we need to make a change to the k8s cluster, the operator yaml, or the registry server container to address this issue. We're going do some investigation based on this AWS article on moving to PSS from PSP.

https://aws.amazon.com/blogs/containers/implementing-pod-security-standards-in-amazon-eks/

rtclauss commented

We ran this command to identify all the PSP items in the cluster:

kubectl get pod -A \

-o jsonpath='{range .items[?(@.metadata.annotations.kubernetes\.io/psp)]}{.metadata.name}{"\t"}{.metadata.annotations.kubernetes\.io/psp}{"\t"}{.metadata.namespace}{"\n"}'
aws-node-6zn4s eks.privileged kube-system

aws-node-d2q6f eks.privileged kube-system

aws-node-qw8f4 eks.privileged kube-system

coredns-d5b9bfc4-c7thl eks.privileged kube-system

coredns-d5b9bfc4-lzv9b eks.privileged kube-system

kube-proxy-54sfn eks.privileged kube-system

kube-proxy-d8mq7 eks.privileged kube-system

kube-proxy-gdkmz eks.privileged kube-system

catalog-operator-6f748dc8b9-2547k eks.privileged olm

olm-operator-d79fdcdbb-vmsxx eks.privileged olm

operatorhubio-catalog-7nmtv eks.privileged olm

packageserver-697c5b7597-6s8j5 eks.privileged olm

packageserver-697c5b7597-snwnq eks.privileged olm
jwalcorn commented

Fixed in v1.0.0 of the operator