Custom SCC prevents Runner Operator v1.13.0 from starting
A US Federal customer indicated that Runner Operator 1.13.0
introduced a custom SSC not shipped with Openshift, which has prevented the operator from starting.
The customer attempted to create a custom SCC with the SETFCAP
capability, however, the custom SCC is not being applied to Openshift.
Here's the error output they provided:
status:
conditions:
- lastTransitionTime: "2023-04-20T20:06:58Z"
message: 'pods "gitlab-runner-gltest-runner-6565fcf5d4-dp45f" is forbidden: unable
to validate against any security context constraint: [pod.metadata.annotations.seccomp.security.alpha.kubernetes.io/pod:
Forbidden: seccomp may not be set pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/configure:
Forbidden: seccomp may not be set pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/runner:
Forbidden: seccomp may not be set provider "anyuid": Forbidden: not usable by
user or serviceaccount pod.metadata.annotations.seccomp.security.alpha.kubernetes.io/pod:
Forbidden: seccomp may not be set pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/configure:
Forbidden: seccomp may not be set spec.initContainers[0].securityContext.capabilities.add:
Invalid value: "SETFCAP": capability may not be added pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/runner:
Forbidden: seccomp may not be set spec.containers[0].securityContext.capabilities.add:
Invalid value: "SETFCAP": capability may not be added provider "nonroot": Forbidden:
not usable by user or serviceaccount provider "hostmount-anyuid": Forbidden:
not usable by user or serviceaccount provider "elasticsearch-scc": Forbidden:
not usable by user or serviceaccount provider "log-collector-scc": Forbidden:
not usable by user or serviceaccount provider "machine-api-termination-handler":
Forbidden: not usable by user or serviceaccount provider "hostnetwork": Forbidden:
not usable by user or serviceaccount provider "hostaccess": Forbidden: not usable
by user or serviceaccount provider "node-exporter": Forbidden: not usable by
user or serviceaccount provider "privileged": Forbidden: not usable by user
or serviceaccount provider "trident": Forbidden: not usable by user or serviceaccount]'
reason: FailedCreate
status: "True"
type: ReplicaFailure
observedGeneration: 1
replicas: 0
Relevant customer information:
- US Federal ticket (Internal access to verified US Citizens only)
- SFDC (internal)