Description
Describe the bug
Package Repositories can not be synched with PSA (restricted) enabled. The respective cronjobs that are created miss the required PSA settings.
To Reproduce
Steps to reproduce the behavior:
- Add a package repository of your choice (in my case I've added multiple OCI Repositories from a private Harbor)
- The Package Repository doesn't get synched because the job can not be started due to PSA (restricted) denying the Pods to be deployed
- Can be checked in the Events of the respective Job:
Events:
Type Reason Age From Message
Warning FailedCreate 3m28s (x1142 over 4d17h) job-controller (combined from similar events): Error creating: pods "apprepo-kubeapps-sync-test-r82t5-c9gdb" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "sync" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sync" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sync" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "sync" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Expected behavior
The respective settings can be applied to the cronjobs:
Screenshots
None
Desktop (please complete the following information):
- Kubeapps Version 2.10.0
- Kubernetes version 1.26.5
- Package version Helm Chart 15.0.2
Additional context
You can workaround the issue by manually adding the respective settings in all the cronjobs manually:
Metadata
Metadata
Assignees
Type
Projects
Status
🗂 Backlog