FBC registry pod init container missing SecurityContext when using --security-context-config=restricted #7039
Description
Bug Report
What did you do?
Ran operator-sdk run bundle with --security-context-config=restricted to deploy a bundle on a cluster with PodSecurity set to restricted.
operator-sdk run bundle ttl.sh/oadp-operator-bundle-f509f50a:1h --security-context-config=restrictedWhat did you expect to see?
The registry pod should be created successfully with proper security context settings on all containers.
What did you see instead?
INFO[0012] Creating a File-Based Catalog of the bundle "ttl.sh/oadp-operator-bundle-f509f50a:1h"
INFO[0014] Generated a valid File-Based Catalog
FATA[0015] Failed to run bundle: create catalog: error creating registry pod: error creating pod: pods "ttl-sh-oadp-operator-bundle-f509f50a-1h" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "registry-grpc-init" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "registry-grpc-init" must set securityContext.capabilities.drop=["ALL"])
Root Cause
In internal/olm/operator/registry/fbcindex/fbc_registry_pod.go, when SecurityContext == "restricted", the security context is only applied to:
- Pod level (
f.pod.Spec.SecurityContext) - Main container (
f.pod.Spec.Containers[0].SecurityContext)
The init container registry-grpc-init (added via addGZIPInitContainer()) is never given a SecurityContext.
Proposed Fix
After setting the security context on the main container, also apply it to all init containers:
// Update all init containers with the same restrictive security context
for i := range f.pod.Spec.InitContainers {
f.pod.Spec.InitContainers[i].SecurityContext = restrictedSecurityContext
}Environment
- operator-sdk version: v1.38.0 / master
- Kubernetes cluster with PodSecurity
restricted:latest
Related Issues
This is a continuation of #6430, which was auto-closed due to inactivity but the bug was never fixed. That issue covered multiple security context problems; this issue is specifically scoped to the init container (registry-grpc-init) missing security context settings.