Camel K doesn't install on a restricted namespace

[oscerd]

What happened?

On a restricted namespace Camel K won't open installed.

Steps to reproduce

If you install the latest minikube

minikube start --addons registry --driver=docker --alsologtostderr

and then create a restricted namespace

kubectl create namespace test-restricted

and then apply the required bits to restrict the namespace

kubectl label --overwrite ns test-restricted pod-security.kubernetes.io/enforce=restricted pod-security.kubernetes.io/warn=restricted

With Kamel 2.0.1 trying to do the installation

kamel install --namespace=test-restricted --olm=false

The operator will return the following

    message: 'pods "camel-k-operator-76dc496fdb-hrlll" is forbidden: violates PodSecurity
      "restricted:latest": allowPrivilegeEscalation != false (container "camel-k-operator"
      must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities
      (container "camel-k-operator" must set securityContext.capabilities.drop=["ALL"]),
      runAsNonRoot != true (pod or container "camel-k-operator" must set securityContext.runAsNonRoot=true),
      seccompProfile (pod or container "camel-k-operator" must set securityContext.seccompProfile.type
      to "RuntimeDefault" or "Localhost")'

Reproduced on Minikube 1.31.2

It's not uncommon to have some security restrictions on particular namespace.

Relevant log output

`kamel dump --namespace test-restricted`

Will generate the following error

---
Found 1 deployments:
---
metadata:
  annotations:
    deployment.kubernetes.io/revision: "1"
  creationTimestamp: "2023-10-02T07:52:11Z"
  generation: 1
  labels:
    app: camel-k
    app.kubernetes.io/component: operator
    app.kubernetes.io/name: camel-k
    app.kubernetes.io/version: 2.0.1
    camel.apache.org/component: operator
    name: camel-k-operator
  managedFields:
  - apiVersion: apps/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:labels:
          .: {}
          f:app: {}
          f:app.kubernetes.io/component: {}
          f:app.kubernetes.io/name: {}
          f:app.kubernetes.io/version: {}
          f:camel.apache.org/component: {}
          f:name: {}
      f:spec:
        f:progressDeadlineSeconds: {}
        f:replicas: {}
        f:revisionHistoryLimit: {}
        f:selector: {}
        f:strategy:
          f:type: {}
        f:template:
          f:metadata:
            f:labels:
              .: {}
              f:app: {}
              f:app.kubernetes.io/component: {}
              f:app.kubernetes.io/name: {}
              f:app.kubernetes.io/version: {}
              f:camel.apache.org/component: {}
              f:name: {}
          f:spec:
            f:containers:
              k:{"name":"camel-k-operator"}:
                .: {}
                f:args: {}
                f:command: {}
                f:env:
                  .: {}
                  k:{"name":"KAMEL_OPERATOR_ID"}:
                    .: {}
                    f:name: {}
                    f:value: {}
                  k:{"name":"LOG_LEVEL"}:
                    .: {}
                    f:name: {}
                    f:value: {}
                  k:{"name":"NAMESPACE"}:
                    .: {}
                    f:name: {}
                    f:valueFrom:
                      .: {}
                      f:fieldRef: {}
                  k:{"name":"OPERATOR_ID"}:
                    .: {}
                    f:name: {}
                    f:value: {}
                  k:{"name":"OPERATOR_NAME"}:
                    .: {}
                    f:name: {}
                    f:value: {}
                  k:{"name":"POD_NAME"}:
                    .: {}
                    f:name: {}
                    f:valueFrom:
                      .: {}
                      f:fieldRef: {}
                  k:{"name":"WATCH_NAMESPACE"}:
                    .: {}
                    f:name: {}
                    f:valueFrom:
                      .: {}
                      f:fieldRef: {}
                f:image: {}
                f:imagePullPolicy: {}
                f:livenessProbe:
                  .: {}
                  f:failureThreshold: {}
                  f:httpGet:
                    .: {}
                    f:path: {}
                    f:port: {}
                    f:scheme: {}
                  f:initialDelaySeconds: {}
                  f:periodSeconds: {}
                  f:successThreshold: {}
                  f:timeoutSeconds: {}
                f:name: {}
                f:ports:
                  .: {}
                  k:{"containerPort":8080,"protocol":"TCP"}:
                    .: {}
                    f:containerPort: {}
                    f:name: {}
                    f:protocol: {}
                f:resources: {}
                f:terminationMessagePath: {}
                f:terminationMessagePolicy: {}
            f:dnsPolicy: {}
            f:restartPolicy: {}
            f:schedulerName: {}
            f:securityContext: {}
            f:serviceAccount: {}
            f:serviceAccountName: {}
            f:terminationGracePeriodSeconds: {}
    manager: kamel
    operation: Update
    time: "2023-10-02T07:52:11Z"
  - apiVersion: apps/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:deployment.kubernetes.io/revision: {}
      f:status:
        f:conditions:
          .: {}
          k:{"type":"Available"}:
            .: {}
            f:lastTransitionTime: {}
            f:lastUpdateTime: {}
            f:message: {}
            f:reason: {}
            f:status: {}
            f:type: {}
          k:{"type":"Progressing"}:
            .: {}
            f:lastTransitionTime: {}
            f:lastUpdateTime: {}
            f:message: {}
            f:reason: {}
            f:status: {}
            f:type: {}
          k:{"type":"ReplicaFailure"}:
            .: {}
            f:lastTransitionTime: {}
            f:lastUpdateTime: {}
            f:message: {}
            f:reason: {}
            f:status: {}
            f:type: {}
        f:observedGeneration: {}
        f:unavailableReplicas: {}
    manager: kube-controller-manager
    operation: Update
    subresource: status
    time: "2023-10-02T07:52:11Z"
  name: camel-k-operator
  namespace: test-restricted
  resourceVersion: "708"
  uid: b99273e5-2292-41a9-82b5-7b4e5d46b0d3
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      name: camel-k-operator
  strategy:
    type: Recreate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: camel-k
        app.kubernetes.io/component: operator
        app.kubernetes.io/name: camel-k
        app.kubernetes.io/version: 2.0.1
        camel.apache.org/component: operator
        name: camel-k-operator
    spec:
      containers:
      - args:
        - --monitoring-port=8080
        - --health-port=8081
        command:
        - kamel
        - operator
        env:
        - name: WATCH_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: OPERATOR_NAME
          value: camel-k
        - name: OPERATOR_ID
          value: camel-k
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: KAMEL_OPERATOR_ID
          value: camel-k
        - name: LOG_LEVEL
          value: info
        image: docker.io/apache/camel-k:2.0.1
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 8081
            scheme: HTTP
          initialDelaySeconds: 20
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: camel-k-operator
        ports:
        - containerPort: 8080
          name: metrics
          protocol: TCP
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: camel-k-operator
      serviceAccountName: camel-k-operator
      terminationGracePeriodSeconds: 30
status:
  conditions:
  - lastTransitionTime: "2023-10-02T07:52:11Z"
    lastUpdateTime: "2023-10-02T07:52:11Z"
    message: Created new replica set "camel-k-operator-76dc496fdb"
    reason: NewReplicaSetCreated
    status: "True"
    type: Progressing
  - lastTransitionTime: "2023-10-02T07:52:11Z"
    lastUpdateTime: "2023-10-02T07:52:11Z"
    message: Deployment does not have minimum availability.
    reason: MinimumReplicasUnavailable
    status: "False"
    type: Available
  - lastTransitionTime: "2023-10-02T07:52:11Z"
    lastUpdateTime: "2023-10-02T07:52:11Z"
    message: 'pods "camel-k-operator-76dc496fdb-hrlll" is forbidden: violates PodSecurity
      "restricted:latest": allowPrivilegeEscalation != false (container "camel-k-operator"
      must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities
      (container "camel-k-operator" must set securityContext.capabilities.drop=["ALL"]),
      runAsNonRoot != true (pod or container "camel-k-operator" must set securityContext.runAsNonRoot=true),
      seccompProfile (pod or container "camel-k-operator" must set securityContext.seccompProfile.type
      to "RuntimeDefault" or "Localhost")'
    reason: FailedCreate
    status: "True"
    type: ReplicaFailure
  observedGeneration: 1
  unavailableReplicas: 1

Camel K version

2.0.1

[gansheer]

@oscerd most of the work has been done for openshift on restricted configurations. I will take care of adding the part here on general kubernetes security configuration from the namespace.

[squakez]

By default, we don't apply any security context on the operator. We should work the other way around, setting context with minimum required privileges by default.

[gansheer]

This issue has already been fixed on main (future 2.1.x) by this #4740.
I was wondering if we could change some e2e tests configuration to have most of the test on priviledged namespace. WDYT @oscerd @squakez ?

[squakez]

Thanks for checking @gansheer .

@oscerd can you please confirm if that solves the original request? I guess you may have a look at the nightly release to confirm that.

[squakez]

This issue has already been fixed on main (future 2.1.x) by this #4740. I was wondering if we could change some e2e tests configuration to have most of the test on priviledged namespace. WDYT @oscerd @squakez ?

I think it is not strictly necessary here. I mean, the main problem would be setting up Kind to run on such configuration. What's important is that we do have at least a test that verify that the default installation provide the required security settings.

[oscerd]

I'll try later on that. Thanks @gansheer and sorry for not trying the nightly release.

[gansheer]

I'll try later on that. Thanks @gansheer and sorry for not trying the nightly release.

No Problem, that was actually some left-over from the original feature.

I think it is not strictly necessary here. I mean, the main problem would be setting up Kind to run on such configuration. What's important is that we do have at least a test that verify that the default installation provide the required security settings.

The helm, olm and kustomize install e2e tests are missing the check. I will consolidate them.