AUTH-133: manifests/deployment: comply to restricted pod security level

[s-urbaniak]

Starting from OpenShift 4.11 pod security admission is being activated. In OpenShift the default pod security admission level is going to be restricted. This PR fixes workloads from this repository. Concretely, the following violations have been detected:

{
  "objectRef": "openshift-insights/deployments/insights-operator",
  "pod-security.kubernetes.io/audit-violations": "would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"insights-operator\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabili
ties (container \"insights-operator\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"insights-operator\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"insights-op
erator\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
}

/cc @stlaz

[tremes]

Hi @s-urbaniak thanks for the PR. Can you please elaborate about the violation? I am not sure I fully understand. What is runAsUser: 65534 (looks like magic number to me :)) please?

[s-urbaniak]

With Kubernetes 1.24 and OpenShift 4.11 we are enabling pod security admission:

1. upstream KEP https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/2579-psp-replacement/README.md
2. Initial downstream OEP: https://github.com/openshift/enhancements/blob/master/enhancements/authentication/pod-security-admission.md
3. The Pod Security Admission label syncer for SCCs (not relevant for you workload as insights operator is core): authentication: add enhancement on PSa autolabeling enhancements#1010
4. @stlaz 's email on aos-devel [aos-devel] [IMPORTANT] Pod Admission Changes from Wed, Apr 20

65534 is simply the nobody user on RHCOS (and most linux system)

[s-urbaniak]

With these settings here your workload will comply to the restricted pod security level as per https://kubernetes.io/docs/concepts/security/pod-security-standards/.

[tremes]

/approve

[tremes]

/retest

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: s-urbaniak, tremes

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [tremes]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[stlaz]

/lgtm

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[s-urbaniak]

/label docs-approved

[s-urbaniak]

/label px-approved

[s-urbaniak]

/label qe-approved

[s-urbaniak]

Setting labels here as this will be covered by PX, QE, Docs under the umbrella of the https://issues.redhat.com/browse/AUTH-133 epic.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci]

@s-urbaniak: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.