Bug Report
x$ operator-sdk scorecard ./testdata/go/v3/memcached-operator/bundle/
W0709 11:17:16.475078 11104 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "scorecard-untar", "scorecard-test" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "scorecard-untar", "scorecard-test" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "scorecard-untar", "scorecard-test" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "scorecard-untar", "scorecard-test" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
What did you do?
Run the scorecard tests for the sample ./testdata/go/v3/memcached-operator/bundle/
What did you expect to see?
No alerts or WARNS regards the scorecard containers would be violating the Pod Security Standards
What did you see instead? Under which circumstances?
The containers violate the definition and cannot run as restricted
Environment
Operator type:
/language go
/language ansible
/language helm
Kubernetes cluster type:
Kind 'k8s 1.24
$ operator-sdk version
$ operator-sdk version
operator-sdk version: "v1.22.0-21-ge7c9b74e-dirty", commit: "e7c9b74e20ab2dd17ab246c8c9e867b8c9b5b079", kubernetes version: "v1.24.1", go version: "go1.18.3", GOOS: "darwin", GOARCH: "amd64"
$ go version (if language is Go)
go 1.18
Possible Solution
Ensure that the Pod/Containers used for Scorecard can run as restricted:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
...
containers:
- name: controller-manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
However, if the Scorecard image used does not define a USER we might check the following error:
"container has runAsNonRoot and image will run as root …
Then, in this case, we can define a USER in the Dockerfile instead of using runAsUser in the security context, such as:
USER 65532:65532
OR
USER 1001
Additional context
https://master.sdk.operatorframework.io/docs/best-practices/pod-security-standards/
Bug Report
What did you do?
Run the scorecard tests for the sample
./testdata/go/v3/memcached-operator/bundle/What did you expect to see?
No alerts or WARNS regards the scorecard containers would be violating the Pod Security Standards
What did you see instead? Under which circumstances?
The containers violate the definition and cannot run as restricted
Environment
Operator type:
/language go
/language ansible
/language helm
Kubernetes cluster type:
Kind 'k8s 1.24
$ operator-sdk version$ operator-sdk version
operator-sdk version: "v1.22.0-21-ge7c9b74e-dirty", commit: "e7c9b74e20ab2dd17ab246c8c9e867b8c9b5b079", kubernetes version: "v1.24.1", go version: "go1.18.3", GOOS: "darwin", GOARCH: "amd64"
$ go version(if language is Go)go 1.18
Possible Solution
Ensure that the Pod/Containers used for Scorecard can run as restricted:
However, if the Scorecard image used does not define a USER we might check the following error:
"container has runAsNonRoot and image will run as root …Then, in this case, we can define a USER in the Dockerfile instead of using runAsUser in the security context, such as:
Additional context
https://master.sdk.operatorframework.io/docs/best-practices/pod-security-standards/