What happened?
oc create deployment nginx --image=nginxinc/nginx-unprivileged:stable-alpine
results in (see: oc get events):
3m59s Warning FailedCreate replicaset/nginx-7465574dbf Error creating: pods "nginx-7465574dbf-p56fr" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx-unprivileged" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx-unprivileged" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx-unprivileged" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx-unprivileged" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
What did you expect to happen?
no error
How to reproduce it (as minimally and precisely as possible)?
- oc create deployment nginx --image=nginxinc/nginx-unprivileged:stable-alpine
- oc get events
Anything else we need to know?
This seems to be a known bug with OpenShift, see
https://access.redhat.com/solutions/6976583
https://access.redhat.com/solutions/6983715
Environment
-
MicroShift version (use microshift version):
MicroShift Version: 4.12.0-0.microshift-2022-11-17-084702-untagged
Base OCP Version: 4.12.0-0.nightly-2022-11-07-181244
-
Hardware configuration:
X86, 2CPU, 4GB, 200GB disk
-
OS (e.g: cat /etc/os-release):
NAME="Red Hat Enterprise Linux"
VERSION="8.7 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.7"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.7 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.7
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.7"
Relevant logs
What happened?
oc create deployment nginx --image=nginxinc/nginx-unprivileged:stable-alpine
results in (see: oc get events):
3m59s Warning FailedCreate replicaset/nginx-7465574dbf Error creating: pods "nginx-7465574dbf-p56fr" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx-unprivileged" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx-unprivileged" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx-unprivileged" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx-unprivileged" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
What did you expect to happen?
no error
How to reproduce it (as minimally and precisely as possible)?
Anything else we need to know?
This seems to be a known bug with OpenShift, see
https://access.redhat.com/solutions/6976583
https://access.redhat.com/solutions/6983715
Environment
MicroShift version (use
microshift version):MicroShift Version: 4.12.0-0.microshift-2022-11-17-084702-untagged
Base OCP Version: 4.12.0-0.nightly-2022-11-07-181244
Hardware configuration:
X86, 2CPU, 4GB, 200GB disk
OS (e.g:
cat /etc/os-release):NAME="Red Hat Enterprise Linux"
VERSION="8.7 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.7"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.7 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.7
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.7"
Kernel (e.g.
uname -a):Linux flail1.fyre.ibm.com 4.18.0-372.32.1.el8_6.x86_64 Init #1 SMP Fri Oct 7 12:35:10 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux
Others:
Relevant logs