Brief Description
-----------------
Attempting to apply ptp-notification results in the ptp-ptp-notification daemonset being unable to start its pods with a PodSecurity error.
Severity
--------
Provide the severity of the defect.
<Critical: System/Feature is not usable due to the defect>
Steps to Reproduce
------------------
system host-label-assign controller-0 ptp-notification=true
system host-label-assign controller-0 ptp-registration=true
system application-upload /usr/local/share/applications/helm/ptp-notification-<version>.tgz
system application-apply ptp-notification
Expected Behavior
------------------
ptp-ptp-notification daemonset schedules and starts the ptp-notification pod.
Actual Behavior
----------------
Pod fails to create with error:
Error creating: pods "ptp-ptp-notification-qlf5h" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
Reproducibility
---------------
100%
System Configuration
--------------------
AIO-SX
Branch/Pull Time/Commit
-----------------------
master
Last Pass
---------
Appears to be related to the changes made in this review
https://review.opendev.org/c/starlingx/config/+/833487
Timestamp/Logs
--------------
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreate 3m43s daemonset-controller Error creating: pods "ptp-ptp-notification-qlf5h" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
Warning FailedCreate 3m43s daemonset-controller Error creating: pods "ptp-ptp-notification-sngr6" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
Warning FailedCreate 3m43s daemonset-controller Error creating: pods "ptp-ptp-notification-6jngz" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
Warning FailedCreate 3m43s daemonset-controller Error creating: pods "ptp-ptp-notification-v2vr5" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
Warning FailedCreate 3m43s daemonset-controller Error creating: pods "ptp-ptp-notification-blspq" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
Warning FailedCreate 3m43s daemonset-controller Error creating: pods "ptp-ptp-notification-w4l85" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
Warning FailedCreate 3m42s daemonset-controller Error creating: pods "ptp-ptp-notification-7g658" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
Warning FailedCreate 3m42s daemonset-controller Error creating: pods "ptp-ptp-notification-877jc" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
Warning FailedCreate 3m41s daemonset-controller Error creating: pods "ptp-ptp-notification-whw7w" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
Warning FailedCreate 59s (x7 over 3m40s) daemonset-controller (combined from similar events): Error creating: pods "ptp-ptp-notification-79vxn" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
Test Activity
-------------
Normal use
Workaround
----------
Describe workaround if available
Fix proposed to branch: master /review. opendev. org/c/starlingx /config/ +/845852
Review: https:/