Relax pod admission controls when using a local catalog index

[csibbitt]

See https://docs.openshift.com/container-platform/4.13/operators/admin/olm-managing-custom-catalogs.html#olm-catalog-sources-and-psa_olm-managing-custom-catalogs

[csibbitt]

Testing

Before the change

$ ansible-playbook -e __local_build_enabled=false -e __deploy_from_bundles_enabled=true   -e __service_telemetry_bundle_image_path="quay.io/infrawatch-operators/service-telemetry-operator-bundle:nightly-head"   -e __smart_gateway_bundle_image_path="quay.io/infrawatch-operators/smart-gateway-operator-bundle:nightly-head"  -e pull_secret_registry="dummy"   -e pull_secret_user="dummy"   -e pull_secret_pass="dummy"   ./run-ci.yaml

[...]

TASK [stf-run-ci : Deploy SGO via OLM bundle] *******************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": true, "cmd": "/home/csibbitt/src/github.com/infrawatch/service-telemetry-operator/build/working/operator-sdk run bundle quay.io/infrawatch-operators/smart-gateway-operator-bundle:nightly-head --pull-secret-name=pull-secret --ca-secret-name=registry-tls-ca --namespace=service-telemetry --timeout 600s", "delta": "0:00:18.719804", "end": "2023-09-05 16:58:19.584305", "msg": "non-zero return code", "rc": 1, "start": "2023-09-05 16:58:00.864501", "stderr": "time=\"2023-09-05T16:58:18-04:00\" level=info msg=\"Creating a File-Based Catalog of the bundle \\\"quay.io/infrawatch-operators/smart-gateway-operator-bundle:nightly-head\\\"\"", "stderr_lines": ["time=\"2023-09-05T16:58:18-04:00\" level=info msg=\"Creating a File-Based Catalog of the bundle \\\"quay.io/infrawatch-operators/smart-gateway-operator-bundle:nightly-head\\\"\""], "stdout": "time=\"2023-09-05T16:58:19-04:00\" level=info msg=\"Generated a valid File-Based Catalog\"\ntime=\"2023-09-05T16:58:19-04:00\" level=fatal msg=\"Failed to run bundle: create catalog: error creating registry pod: error creating pod: pods \\\"infrawatch-operators-smart-gateway-operator-bundle-nightly-head\\\" is forbidden: violates PodSecurity \\\"restricted:v1.24\\\": allowPrivilegeEscalation != false (containers \\\"registry-grpc-init\\\", \\\"registry-grpc\\\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers \\\"registry-grpc-init\\\", \\\"registry-grpc\\\" must set securityContext.capabilities.drop=[\\\"ALL\\\"]), runAsNonRoot != true (pod or containers \\\"registry-grpc-init\\\", \\\"registry-grpc\\\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers \\\"registry-grpc-init\\\", \\\"registry-grpc\\\" must set securityContext.seccompProfile.type to \\\"RuntimeDefault\\\" or \\\"Localhost\\\")\\n\"", "stdout_lines": ["time=\"2023-09-05T16:58:19-04:00\" level=info msg=\"Generated a valid File-Based Catalog\"", "time=\"2023-09-05T16:58:19-04:00\" level=fatal msg=\"Failed to run bundle: create catalog: error creating registry pod: error creating pod: pods \\\"infrawatch-operators-smart-gateway-operator-bundle-nightly-head\\\" is forbidden: violates PodSecurity \\\"restricted:v1.24\\\": allowPrivilegeEscalation != false (containers \\\"registry-grpc-init\\\", \\\"registry-grpc\\\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers \\\"registry-grpc-init\\\", \\\"registry-grpc\\\" must set securityContext.capabilities.drop=[\\\"ALL\\\"]), runAsNonRoot != true (pod or containers \\\"registry-grpc-init\\\", \\\"registry-grpc\\\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers \\\"registry-grpc-init\\\", \\\"registry-grpc\\\" must set securityContext.seccompProfile.type to \\\"RuntimeDefault\\\" or \\\"Localhost\\\")\\n\""]}

After the change

ansible-playbook -e __local_build_enabled=false -e __deploy_from_bundles_enabled=true   -e __service_telemetry_bundle_image_path="quay.io/infrawatch-operators/service-telemetry-operator-bundle:nightly-head"   -e __smart_gateway_bundle_image_path="quay.io/infrawatch-operators/smart-gateway-operator-bundle:nightly-head"  -e pull_secret_registry="dummy"   -e pull_secret_user="dummy"   -e pull_secret_pass="dummy"   ./run-ci.yaml

[...]

        "* [info] CI Build complete. You can now run tests."
    ]
}

PLAY RECAP *********************************************************************************************************************
localhost                  : ok=58   changed=20   unreachable=0    failed=0    skipped=16   rescued=0    ignored=0

[leifmadsen]

👍🏻

[leifmadsen]

Based on information provided in STF-1451 I'm approving these changes.

[csibbitt]

test

[csibbitt]

Copying some context from our OOB discussion...

This patch does not affect the production deployment of STF, only the mid-stream integration testing.

There are two scenarios currently failing without my new patch.

deploy_from_index_enabled - It uses create_catalog.yml to create it's own local CatalogSource

deploy_from_bundles_enabled - It uses operator-sdk run bundle, which in turn will create it's own local CatalogSource

The problem is that in 4.14, the CatalogSource registry containers don't run in our namespace without the patch.

The patch relaxes enforcement to the "baseline" level, same as the openshift-marketplace namespace where all the other CatalogSources live. After a surface investigation, it looks like we should be meeting the requirements for running in the "restricted" profile[1] (without the labels in my patch) so I'm not sure what's going on there.

We could likely solve the from_index case by moving the CatalogSource into openshift-marketplace like all the others, but I expect this would be subverting an intent to keep the testing from affecting other namespaces ("real" CatalogSources go in the "real" namespace, but our temporary local-testing CatalogSource stays in our namespace). I don't see a way to do this for the from_bundles case, anyways.

In the end, this doesn't even affect the artifacts that we ship, just our testing. We could catch any compliance regressions in STF itself by testing nightly builds from the upstream catalog (where we install the CatalogSource into openshift-marketplace [2]) . My only reservation is that this testing would be more valuable if done on downstream artifacts (where we rely on from_bundles because there is no published catalog), so there is definitely an argument for following up on this.

[1] https://docs.openshift.com/container-platform/4.13/operators/admin/olm-managing-custom-catalogs.html#olm-catalog-sources-and-psa_olm-managing-custom-catalogs
[2]

service-telemetry-operator/build/stf-run-ci/tasks/setup_stf.yml

Line 9 in cd216c0

namespace: openshift-marketplace

[csibbitt]

In terms of CI testing, 8b54a3c passed the 4.12 Jenkins CI gate, proving that this isn't hopelessly broken. The actual code path of the change isn't tested here, only downstream, so now that everything else has turned green I'm going to merge this.