You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by "oscerd (via GitHub)" <gi...@apache.org> on 2023/10/02 09:07:56 UTC
[I] Camel K doesn't install on a restricted namespace [camel-k]
oscerd opened a new issue, #4786:
URL: https://github.com/apache/camel-k/issues/4786
### What happened?
On a restricted namespace Camel K won't open installed.
### Steps to reproduce
If you install the latest minikube
`minikube start --addons registry --driver=docker --alsologtostderr`
and then create a restricted namespace
`kubectl create namespace test-restricted`
and then apply the required bits to restrict the namespace
`kubectl label --overwrite ns test-restricted pod-security.kubernetes.io/enforce=restricted pod-security.kubernetes.io/warn=restricted`
With Kamel 2.0.1 trying to do the installation
`kamel install --namespace=test-restricted --olm=false`
The operator will return the following
```
message: 'pods "camel-k-operator-76dc496fdb-hrlll" is forbidden: violates PodSecurity
"restricted:latest": allowPrivilegeEscalation != false (container "camel-k-operator"
must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities
(container "camel-k-operator" must set securityContext.capabilities.drop=["ALL"]),
runAsNonRoot != true (pod or container "camel-k-operator" must set securityContext.runAsNonRoot=true),
seccompProfile (pod or container "camel-k-operator" must set securityContext.seccompProfile.type
to "RuntimeDefault" or "Localhost")'
```
Reproduced on Minikube 1.31.2
It's not uncommon to have some security restrictions on particular namespace.
### Relevant log output
```shell
`kamel dump --namespace test-restricted`
Will generate the following error
---
Found 1 deployments:
---
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
creationTimestamp: "2023-10-02T07:52:11Z"
generation: 1
labels:
app: camel-k
app.kubernetes.io/component: operator
app.kubernetes.io/name: camel-k
app.kubernetes.io/version: 2.0.1
camel.apache.org/component: operator
name: camel-k-operator
managedFields:
- apiVersion: apps/v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.: {}
f:app: {}
f:app.kubernetes.io/component: {}
f:app.kubernetes.io/name: {}
f:app.kubernetes.io/version: {}
f:camel.apache.org/component: {}
f:name: {}
f:spec:
f:progressDeadlineSeconds: {}
f:replicas: {}
f:revisionHistoryLimit: {}
f:selector: {}
f:strategy:
f:type: {}
f:template:
f:metadata:
f:labels:
.: {}
f:app: {}
f:app.kubernetes.io/component: {}
f:app.kubernetes.io/name: {}
f:app.kubernetes.io/version: {}
f:camel.apache.org/component: {}
f:name: {}
f:spec:
f:containers:
k:{"name":"camel-k-operator"}:
.: {}
f:args: {}
f:command: {}
f:env:
.: {}
k:{"name":"KAMEL_OPERATOR_ID"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"LOG_LEVEL"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"NAMESPACE"}:
.: {}
f:name: {}
f:valueFrom:
.: {}
f:fieldRef: {}
k:{"name":"OPERATOR_ID"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"OPERATOR_NAME"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"POD_NAME"}:
.: {}
f:name: {}
f:valueFrom:
.: {}
f:fieldRef: {}
k:{"name":"WATCH_NAMESPACE"}:
.: {}
f:name: {}
f:valueFrom:
.: {}
f:fieldRef: {}
f:image: {}
f:imagePullPolicy: {}
f:livenessProbe:
.: {}
f:failureThreshold: {}
f:httpGet:
.: {}
f:path: {}
f:port: {}
f:scheme: {}
f:initialDelaySeconds: {}
f:periodSeconds: {}
f:successThreshold: {}
f:timeoutSeconds: {}
f:name: {}
f:ports:
.: {}
k:{"containerPort":8080,"protocol":"TCP"}:
.: {}
f:containerPort: {}
f:name: {}
f:protocol: {}
f:resources: {}
f:terminationMessagePath: {}
f:terminationMessagePolicy: {}
f:dnsPolicy: {}
f:restartPolicy: {}
f:schedulerName: {}
f:securityContext: {}
f:serviceAccount: {}
f:serviceAccountName: {}
f:terminationGracePeriodSeconds: {}
manager: kamel
operation: Update
time: "2023-10-02T07:52:11Z"
- apiVersion: apps/v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:deployment.kubernetes.io/revision: {}
f:status:
f:conditions:
.: {}
k:{"type":"Available"}:
.: {}
f:lastTransitionTime: {}
f:lastUpdateTime: {}
f:message: {}
f:reason: {}
f:status: {}
f:type: {}
k:{"type":"Progressing"}:
.: {}
f:lastTransitionTime: {}
f:lastUpdateTime: {}
f:message: {}
f:reason: {}
f:status: {}
f:type: {}
k:{"type":"ReplicaFailure"}:
.: {}
f:lastTransitionTime: {}
f:lastUpdateTime: {}
f:message: {}
f:reason: {}
f:status: {}
f:type: {}
f:observedGeneration: {}
f:unavailableReplicas: {}
manager: kube-controller-manager
operation: Update
subresource: status
time: "2023-10-02T07:52:11Z"
name: camel-k-operator
namespace: test-restricted
resourceVersion: "708"
uid: b99273e5-2292-41a9-82b5-7b4e5d46b0d3
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
name: camel-k-operator
strategy:
type: Recreate
template:
metadata:
creationTimestamp: null
labels:
app: camel-k
app.kubernetes.io/component: operator
app.kubernetes.io/name: camel-k
app.kubernetes.io/version: 2.0.1
camel.apache.org/component: operator
name: camel-k-operator
spec:
containers:
- args:
- --monitoring-port=8080
- --health-port=8081
command:
- kamel
- operator
env:
- name: WATCH_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: OPERATOR_NAME
value: camel-k
- name: OPERATOR_ID
value: camel-k
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: KAMEL_OPERATOR_ID
value: camel-k
- name: LOG_LEVEL
value: info
image: docker.io/apache/camel-k:2.0.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 8081
scheme: HTTP
initialDelaySeconds: 20
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: camel-k-operator
ports:
- containerPort: 8080
name: metrics
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: camel-k-operator
serviceAccountName: camel-k-operator
terminationGracePeriodSeconds: 30
status:
conditions:
- lastTransitionTime: "2023-10-02T07:52:11Z"
lastUpdateTime: "2023-10-02T07:52:11Z"
message: Created new replica set "camel-k-operator-76dc496fdb"
reason: NewReplicaSetCreated
status: "True"
type: Progressing
- lastTransitionTime: "2023-10-02T07:52:11Z"
lastUpdateTime: "2023-10-02T07:52:11Z"
message: Deployment does not have minimum availability.
reason: MinimumReplicasUnavailable
status: "False"
type: Available
- lastTransitionTime: "2023-10-02T07:52:11Z"
lastUpdateTime: "2023-10-02T07:52:11Z"
message: 'pods "camel-k-operator-76dc496fdb-hrlll" is forbidden: violates PodSecurity
"restricted:latest": allowPrivilegeEscalation != false (container "camel-k-operator"
must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities
(container "camel-k-operator" must set securityContext.capabilities.drop=["ALL"]),
runAsNonRoot != true (pod or container "camel-k-operator" must set securityContext.runAsNonRoot=true),
seccompProfile (pod or container "camel-k-operator" must set securityContext.seccompProfile.type
to "RuntimeDefault" or "Localhost")'
reason: FailedCreate
status: "True"
type: ReplicaFailure
observedGeneration: 1
unavailableReplicas: 1
```
### Camel K version
2.0.1
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Camel K doesn't install on a restricted namespace [camel-k]
Posted by "squakez (via GitHub)" <gi...@apache.org>.
squakez closed issue #4786: Camel K doesn't install on a restricted namespace
URL: https://github.com/apache/camel-k/issues/4786
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Camel K doesn't install on a restricted namespace [camel-k]
Posted by "oscerd (via GitHub)" <gi...@apache.org>.
oscerd commented on issue #4786:
URL: https://github.com/apache/camel-k/issues/4786#issuecomment-1744512021
I'll try later on that. Thanks @gansheer and sorry for not trying the nightly release.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Camel K doesn't install on a restricted namespace [camel-k]
Posted by "squakez (via GitHub)" <gi...@apache.org>.
squakez commented on issue #4786:
URL: https://github.com/apache/camel-k/issues/4786#issuecomment-1742682974
By default, we don't apply any security context on the operator. We should work the other way around, setting context with minimum required privileges by default.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Camel K doesn't install on a restricted namespace [camel-k]
Posted by "squakez (via GitHub)" <gi...@apache.org>.
squakez commented on issue #4786:
URL: https://github.com/apache/camel-k/issues/4786#issuecomment-1744511280
> This issue has already been fixed on main (future 2.1.x) by this #4740. I was wondering if we could change some e2e tests configuration to have most of the test on priviledged namespace. WDYT @oscerd @squakez ?
I think it is not strictly necessary here. I mean, the main problem would be setting up Kind to run on such configuration. What's important is that we do have at least a test that verify that the default installation provide the required security settings.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Camel K doesn't install on a restricted namespace [camel-k]
Posted by "gansheer (via GitHub)" <gi...@apache.org>.
gansheer commented on issue #4786:
URL: https://github.com/apache/camel-k/issues/4786#issuecomment-1744493344
It has already been fixed on main (future 2.1.x) by this #4740.
I was wondering if we could change some e2e tests configuration to have most of the test on priviledged namespace. WDYT @oscerd @squakez ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Camel K doesn't install on a restricted namespace [camel-k]
Posted by "squakez (via GitHub)" <gi...@apache.org>.
squakez commented on issue #4786:
URL: https://github.com/apache/camel-k/issues/4786#issuecomment-1744508452
Thanks for checking @gansheer .
@oscerd can you please confirm if that solves the original request? I guess you may have a look at the nightly release to confirm that.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Camel K doesn't install on a restricted namespace [camel-k]
Posted by "gansheer (via GitHub)" <gi...@apache.org>.
gansheer commented on issue #4786:
URL: https://github.com/apache/camel-k/issues/4786#issuecomment-1744525395
> I'll try later on that. Thanks @gansheer and sorry for not trying the nightly release.
No Problem, that was actually some left-over from the original feature.
> I think it is not strictly necessary here. I mean, the main problem would be setting up Kind to run on such configuration. What's important is that we do have at least a test that verify that the default installation provide the required security settings.
The helm, olm and kustomize install e2e tests are missing the check. I will consolidate them.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Camel K doesn't install on a restricted namespace [camel-k]
Posted by "gansheer (via GitHub)" <gi...@apache.org>.
gansheer commented on issue #4786:
URL: https://github.com/apache/camel-k/issues/4786#issuecomment-1742675770
@oscerd most of the work has been done for openshift on restricted configurations. I will look into it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org