Bug 2090175

Summary: PodSecurity violation warning observed during must-gather log collection
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Rachael <rgeorge>
Component: must-gatherAssignee: yati padia <ypadia>
Status: CLOSED NOTABUG QA Contact: Prasad Desala <tdesala>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.11CC: ebenahar, mmuench, mrajanna, muagarwa, ocs-bugs, odf-bz-bot, owasserm
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-10-06 05:31:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rachael 2022-05-25 09:57:50 UTC 
Description of problem (please be detailed as possible and provide log
snippets):

While collecting must-gather logs in ODF 4.11, the following warning messages were observed:

[must-gather      ] OUT namespace/openshift-must-gather-nlbwn created
[must-gather      ] OUT clusterrolebinding.rbac.authorization.k8s.io/must-gather-xb52x created
W0525 10:34:03.298062   19288 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "gather", "copy" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "gather", "copy" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "gather", "copy" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "gather", "copy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
[must-gather      ] OUT pod for plug-in image quay.io/rhceph-dev/ocs-must-gather:latest-4.11 created
[must-gather-x29j4] POD 2022-05-25T05:04:12.733108553Z checking for existing must-gather resource
[must-gather-x29j4] POD 2022-05-25T05:04:12.882037913Z No resources found in openshift-storage namespace.
[must-gather-x29j4] POD 2022-05-25T05:04:13.029879181Z creating helper pod
[must-gather-x29j4] POD 2022-05-25T05:04:15.677545241Z W0525 05:04:15.677358      72 warnings.go:70] would violate PodSecurity "restricted:latest": hostPath volumes (volumes "dev", "sysbus", "libmodules"), privileged (container "must-gather-helper" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "must-gather-helper" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "must-gather-helper" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "dev", "sysbus", "libmodules" use restricted volume type "hostPath"), seccompProfile (pod or container "must-gather-helper" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
[must-gather-x29j4] POD 2022-05-25T05:04:15.678078701Z pod/must-gather-x29j4-helper created


Version of all relevant components (if applicable):
---------------------------------------------------
OCP: 4.11.0-0.nightly-2022-05-20-213928
ODF: odf-operator.v4.11.0     full_version=4.11.0-78


Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?
No


Is there any workaround available to the best of your knowledge?
No


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
1


Can this issue reproducible?
Yes

Can this issue reproduce from the UI?


If this is a regression, please provide more details to justify this:


Steps to Reproduce:
-------------------

1. Run must-gather to collect ODF logs:
 # oc adm must-gather --image=quay.io/rhceph-dev/ocs-must-gather:latest-4.11



Actual results:
---------------
Warning messages for PodSecurity violations observed 


Expected results:
-----------------
No such warnings expected
Comment 3 Madhu Rajanna 2022-05-30 05:52:01 UTC 
Yes, I think we need to fix this for 4.11.0, I will let Orit confirm it.
Comment 4 Orit Wasserman 2022-05-30 12:33:23 UTC 
(In reply to Madhu Rajanna from comment #3)
> Yes, I think we need to fix this for 4.11.0, I will let Orit confirm it.

Correct.
We will need to consider a backport to 4.10.x as we support ODF 4.10 on OCP 4.11
Comment 5 Mudit Agarwal 2022-06-21 04:15:38 UTC 
This is delayed till OCP 4.12 hence the fix should go in 4.11 z-stream before OCP 4.12 is released.
Also, IMO must-gather is not the correct component for this BZ. We need fix in every operator which is affected.
Comment 8 Mudit Agarwal 2022-10-06 05:31:38 UTC 
This is not a must-gather issue, we already have a BZs for different operators for the same issue.
e.g. https://bugzilla.redhat.com/show_bug.cgi?id=2124593