Bug 2089744
Summary: | HCO should label its control plane namespace to admit pods at privileged security level | ||
---|---|---|---|
Product: | Container Native Virtualization (CNV) | Reporter: | Simone Tiraboschi <stirabos> |
Component: | Installation | Assignee: | Simone Tiraboschi <stirabos> |
Status: | CLOSED ERRATA | QA Contact: | Debarati Basu-Nag <dbasunag> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | 4.11.0 | CC: | alitke, dbasunag, kmajcher, phoracek, sasundar, sgott, stirabos |
Target Milestone: | --- | ||
Target Release: | 4.12.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | hco-bundle-registry-v4.11.1-15 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-01-24 13:36:17 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2128997, 2133540, 2133541, 2133542, 2133543, 2133654, 2133655, 2133656, 2133657, 2133659, 2133660, 2140406, 2141669, 2141670, 2141671 | ||
Bug Blocks: |
Description
Simone Tiraboschi
2022-05-24 10:57:19 UTC
Petr, Stu, Adam can you please confirm/deny that at least one of your pods is not compatible with the requirements of the restricted PSS (see: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted ) ? @stirabos some of the network components use host network and host directory volume. So IIUIC we are not compatible with the restricted PSS. For HPP, HCO does not manage the CR so I am wondering if this makes a difference for this requirement. Of course we still want everything to work if someone does post a CR to deploy HPP to the cluster. This change has been postponed to 4.12. @dbasunag we are backporting this to CNV 4.11.1 to be sure that the upgrade from OCP 4.11.z + CNV 4.11.z -> OCP 4.12 will be smooth. Please rerun the tests on a completely fresh cluster - that should provide good environment to verify the bug. Moving the target version to 4.12, as majority of the dependent bugs were fixed in 4.12 with no plan to backport to 4.11.z Verified against ================= Deployed: OCP-4.12.0-rc.6 Deployed: CNV-v4.12.0-769 ================= 17:20:19 TEST: test_cnv_pod_security_violation_audit_logs STATUS: PASSED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Virtualization 4.12.0 Images security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:0408 |