Harbor Installation: Pod Security issue in Openshift 4.15
parseltongued opened this issue · 2 comments
Hi,
I'm trying to install harbor via helm but it fails with. Understand it's a pod security issue, have already put serviceaccount in scc
W0516 06:52:32.103893 1298392 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "core" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "core" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "core" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "core" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") W0516 06:52:32.120683 1298392 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "jobservice" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "jobservice" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "jobservice" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "jobservice" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") W0516 06:52:32.137475 1298392 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "portal" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "portal" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "portal" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "portal" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") W0516 06:52:32.152585 1298392 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (containers "registry", "registryctl" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "registry", "registryctl" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "registry", "registryctl" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "registry", "registryctl" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") W0516 06:52:32.170394 1298392 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (containers "data-migrator", "data-permissions-ensurer", "database" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "data-migrator", "data-permissions-ensurer", "database" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "data-migrator", "data-permissions-ensurer", "database" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "data-migrator", "data-permissions-ensurer", "database" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") W0516 06:52:32.181714 1298392 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "redis" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "redis" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "redis" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "redis" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") W0516 06:52:32.195128 1298392 warnings.go:70] would violate PodSecurity "restricted:v1.24": unrestricted capabilities (container "trivy" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "trivy" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "trivy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
How do I fix this in values.yaml?
Deployment information
OKD Cluster Version: 4.15.0-0.okd-2024-03-10-010116
Kernel version: v1.28.2-3598+6e2789bbd58938-dirty
Hi @parseltongued , we have this PR merged into main and will be available in harbor-helm v1.15.0. Please try harbor-helm v1.15.0 when it's released.