diff --git a/changelog/fragments/fix-fbc-init-container-security-context.yaml b/changelog/fragments/fix-fbc-init-container-security-context.yaml new file mode 100644 index 00000000000..97383fe55a8 --- /dev/null +++ b/changelog/fragments/fix-fbc-init-container-security-context.yaml @@ -0,0 +1,10 @@ +# entries is a list of entries to include in +# release notes and/or the migration guide +entries: + - description: > + Fixed `operator-sdk run bundle` with `--security-context-config=restricted` to apply + the restricted security context to init containers (`registry-grpc-init`), not just + the main container. This resolves PodSecurity violations on clusters with + `restricted` policy enforcement. + kind: bugfix + breaking: false diff --git a/internal/olm/operator/registry/fbcindex/fbc_registry_pod.go b/internal/olm/operator/registry/fbcindex/fbc_registry_pod.go index 4abc2f238af..eb15579eea9 100644 --- a/internal/olm/operator/registry/fbcindex/fbc_registry_pod.go +++ b/internal/olm/operator/registry/fbcindex/fbc_registry_pod.go @@ -148,8 +148,7 @@ func (f *FBCRegistryPod) Create(ctx context.Context, cfg *operator.Configuration }, } - // Update the Registry Pod container security context to be restrictive - f.pod.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{ + restrictedSecurityContext := &corev1.SecurityContext{ Privileged: pointer.To(false), ReadOnlyRootFilesystem: pointer.To(false), AllowPrivilegeEscalation: pointer.To(false), @@ -157,6 +156,14 @@ func (f *FBCRegistryPod) Create(ctx context.Context, cfg *operator.Configuration Drop: []corev1.Capability{"ALL"}, }, } + + // Update the Registry Pod container security context to be restrictive + f.pod.Spec.Containers[0].SecurityContext = restrictedSecurityContext + + // Update all init containers with the same restrictive security context + for i := range f.pod.Spec.InitContainers { + f.pod.Spec.InitContainers[i].SecurityContext = restrictedSecurityContext + } } if f.ImagePullPolicy == "" {