Bug 2086450

Summary: aws-load-balancer-controller-cluster pod logged Podsecurity violation error during deployment
Product: OpenShift Container Platform Reporter: Hongan Li <hongli>
Component: NetworkingAssignee: aos-network-edge-staff <aos-network-edge-staff>
Networking sub component: router QA Contact: Hongan Li <hongli>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: mmasters
Version: 4.11   
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-01 09:32:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hongan Li 2022-05-16 07:36:11 UTC 
Description of problem:
aws-load-balancer-controller-cluster pod logged Podsecurity violation error during deployment as below

1.6526850318382206e+09	INFO	KubeAPIWarningLogger	would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "controller" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "controller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")



OpenShift release version:
4.11.0-0.nightly-2022-05-11-054135

Cluster Platform:
AWS

How reproducible:
100%

Steps to Reproduce (in detail):
1. install aws-load-balancer-operator via OperatorHub
2. create AWSLoadBalancerController resource
3. check the aws-load-balancer-operator pod logs
$ oc -n aws-load-balancer-operator logs aws-load-balancer-operator-controller-manager-9bc7f96b6-kp9gd -c manager


Actual results:
see Podsecurity violation error logs

Expected results:
should not occur

Impact of the problem:


Additional info:
This appears to be due to the PodSecurity feature gate being active by default for v1.23 k8s release and from 4.11 pod security admission level gets set as "restricted" by default. Ref: https://kubernetes.io/docs/concepts/security/pod-security-admission/

see also: https://issues.redhat.com/browse/AUTH-133


** Please do not disregard the report template; filling the template out as much as possible will allow us to help you. Please consider attaching a must-gather archive (via `oc adm must-gather`). Please review must-gather contents for sensitive information before attaching any must-gathers to a bugzilla report.  You may also mark the bug private if you wish.
Comment 1 Miciah Dashiel Butler Masters 2022-05-17 16:47:50 UTC 
This is a blocker because OpenShift 4.11 is going to enforce PodSecurity.
Comment 4 Hongan Li 2022-05-26 09:12:58 UTC 
tested with latest aws-load-balancer-operator-bundle-container-0.0.1-12 and passed.

didn't see "violate PodSecurity" anymore.
Comment 8 errata-xmlrpc 2022-08-01 09:32:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of AWS Load Balancer Operator on OperatorHub), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:5780