Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Package Repositories can not be synched with PSA (restricted) enabled #7703

Open
ILZ1105 opened this issue Apr 16, 2024 · 2 comments
Open

Package Repositories can not be synched with PSA (restricted) enabled #7703

ILZ1105 opened this issue Apr 16, 2024 · 2 comments
Labels
kind/bug An issue that reports a defect in an existing feature

Comments

@ILZ1105
Copy link

ILZ1105 commented Apr 16, 2024

Describe the bug
Package Repositories can not be synched with PSA (restricted) enabled. The respective cronjobs that are created miss the required PSA settings.

To Reproduce
Steps to reproduce the behavior:

  1. Add a package repository of your choice (in my case I've added multiple OCI Repositories from a private Harbor)
  2. The Package Repository doesn't get synched because the job can not be started due to PSA (restricted) denying the Pods to be deployed
  3. Can be checked in the Events of the respective Job:
    Events:
    Type Reason Age From Message

Warning FailedCreate 3m28s (x1142 over 4d17h) job-controller (combined from similar events): Error creating: pods "apprepo-kubeapps-sync-test-r82t5-c9gdb" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "sync" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sync" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sync" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "sync" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Expected behavior
The respective settings can be applied to the cronjobs:
image

Screenshots
None

Desktop (please complete the following information):

  • Kubeapps Version 2.10.0
  • Kubernetes version 1.26.5
  • Package version Helm Chart 15.0.2

Additional context
You can workaround the issue by manually adding the respective settings in all the cronjobs manually:
image
@ILZ1105 ILZ1105 added the kind/bug An issue that reports a defect in an existing feature label Apr 16, 2024
@github-project-automation github-project-automation bot moved this to 🗂 Backlog in Kubeapps Apr 16, 2024
@antgamdia
Copy link
Contributor

Thanks for reporting. PSA were added in the official bitnami chart as part of a wider standardization and it seems it's failing here. Looks like an issue, yep.
If you have a workaround and you want to send a PR adding the fix in the code, please feel more than welcome!

@ILZ1105
Copy link
Author

ILZ1105 commented Apr 16, 2024

I think Bitnami is actually fine, I'd have to doublecheck. It's all the additional repos that are being added which are missing these settings.

I'm not sure if I can propose a proper pull request to fix it myself as these repos and therefore their corresponding cronjobs are added after adding them via kubeapps (or when upgrading it seems to ditch those settings too actually, I'm guessing because they're recreated).

Been a while I've been using Github so I'm a bit rusty. :P

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug An issue that reports a defect in an existing feature
Projects
Kubeapps
Status: 🗂 Backlog
Milestone
No milestone
Development

No branches or pull requests
2 participants
@antgamdia @ILZ1105