Bug 2103126
| Summary: | must-gather namespace should have “privileged” warn and audit pod security labels besides enforce | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Yash Tripathi <ytripath> |
| Component: | oc | Assignee: | Arda Guclu <aguclu> |
| oc sub component: | oc | QA Contact: | zhou ying <yinzhou> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | high | ||
| Priority: | unspecified | CC: | jchaloup, mfojtik |
| Version: | 4.11 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.12.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-01-17 19:51:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2104589 | ||
Verified on
Client Version: 4.12.0-0.nightly-2022-07-06-221008
Kustomize Version: v4.5.4
Server Version: 4.12.0-0.nightly-2022-07-06-221008
1. $ oc adm must-gather
2. $ oc get ns openshift-must-gather-2nbjs -o yaml
Actual results:
Labels are
...
openshift.io/run-level: "0"
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged
...
Expected results:
Labels should be
…
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged
…
moving to Verified
"pod-security.kubernetes.io/warn: privileged" label is present now
Labels are
...
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged
...
Expected results:
Labels should be
…
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged
…
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:7399 |
Description of problem: All of the following labels should be present in the must-gather namespace pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged Version-Release number of selected component (if applicable): 4.11 How reproducible: Everytime Steps to Reproduce: 1.$ oc adm must-gather [must-gather ] OUT Using must-gather plug-in image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:82aa287dc11d558b9af6b261fe21b753c450649a8e8e3a7e0ef3e1440d8ec3c0 ... Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "gather", "copy" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "gather", "copy" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "gather", "copy" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "gather", "copy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") ... 2.$ oc get ns -o yaml openshift-must-gather-xntmj ... apiVersion: v1 kind: Namespace metadata: ... creationTimestamp: "2022-06-24T13:32:30Z" generateName: openshift-must-gather- labels: kubernetes.io/metadata.name: openshift-must-gather-xntmj openshift.io/run-level: "0" pod-security.kubernetes.io/enforce: privileged name: openshift-must-gather-xntmj ... Actual results: Currently only the following label is seen … pod-security.kubernetes.io/enforce: privileged … This throws a warning which confuses users as the “pod-security.kubernetes.io/warn: privileged” label is not present It also does not have “pod-security.kubernetes.io/audit: privileged” label which causes it to not match the expression at https://github.com/openshift/cluster-kube-apiserver-operator/blob/ff87de97de70b6d373a10cccc084497e44ec9bf3/bindata/assets/alerts/podsecurity-violations.yaml#L21, hence can lead to incorrect metrics Expected results: Labels should be … pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged … Additional info: