Bug 2133540

I believe that this was addressed via https://github.com/kubevirt/cluster-network-addons-operator/pull/1404 in v4.11.1-29. The problem is that errata is stuck on a build that is two weeks old.

Still happens on
CNV (HCO bundle) v4.11.1-49 (IIB: 346131)
cni-plugin: v4.11.1-5

Reproduction scenario:
I Ran the same tests that was run in the original bug scenario (https://main-jenkins-csb-cnvqe.apps.ocp-c1.prod.psi.redhat.com/view/cnv-tests%20runner/job/cnv-tests-runner/4297/consoleFull), with https://code.engineering.redhat.com/gerrit/c/cnv-tests/+/430017, which was also used in the original scenario, cherry-picked.
* I ran from the cluster executor rather than from the Jenkins test job.

$ poetry run pytest -svv -o log_cli=true tests/install_upgrade_operators/pod_security/test_pod_security_audit_log.py --bugzilla --jira --junit-xml xunit_results.xml --tc=region:USA --tb=native --cluster-sanity-skip-storage-check

Result (from the test output log):
'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": privileged (container "cni-plugins" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "cni-plugins" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cni-plugins" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "cnibin" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "cni-plugins" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "cni-plugins" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'

After discussing this issue offline, we came to a conclusion that while the component should be safe with the default security context it gets from OpenShift, we need to explicitly set it to silence the audit log.

Followed same steps from comment 2.

Still able to see the violation:

'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": privileged (container "cni-plugins" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "cni-plugins" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cni-plugins" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "cnibin" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "cni-plugins" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "cni-plugins" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'

Installed CNAO version: v4.11.2-1
CNV version: 4.11.2-10
CNI plugin: 4.11.2-1

Failed ON_QA.

With the enforcement of PSA moved to 4.13, we can address this issues in 4.12.

Verified by running the same scenario from comment #2.

OCP version: 4.12.0-rc.2
CNV 4.12.0-769

(In reply to Yossi Segev from comment #8)
> Verified by running the same scenario from comment #2.
> 
> OCP version: 4.12.0-rc.2
> CNV 4.12.0-769

Also verified on 2 upgraded clusters:
OCP+CNV 4.11->4.12
OCP+CNV 4.10->4.12 (EUS upgrade).

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Virtualization 4.12.0 Images security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:0408