Bug 2133657

Summary: [pod security violation audit] Audit violation in "mounter" container should be fixed
Product: Container Native Virtualization (CNV) Reporter: SATHEESARAN <sasundar>
Component: StorageAssignee: Adam Litke <alitke>
Status: CLOSED NOTABUG QA Contact: Natalie Gavrielov <ngavrilo>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.11.1CC: cnv-qe-bugs, kmajcher, stirabos
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-10-13 14:02:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2089744    

Description SATHEESARAN 2022-10-11 05:43:04 UTC 
Description of problem:
-----------------------
Test run[1] that looks for 'pod security violation entries' in audit logs,against 4.11.1-20, found few audit violation.

[1] - https://main-jenkins-csb-cnvqe.apps.ocp-c1.prod.psi.redhat.com/view/cnv-tests%20runner/job/cnv-tests-runner/4297/consoleFull.

This bug is to fix violation in 'mounter' container.

<snip>
'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": privileged (container "mounter" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "mounter" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "mounter" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host-root" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "mounter" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "mounter" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'
</snip>

Version-Release number of selected component (if applicable):
-------------------------------------------------------------
4.11.1-20

How reproducible:
-----------------
Always

Expected results:
-----------------
No audit-violation to be found
Comment 1 Adam Litke 2022-10-13 14:02:50 UTC 
The mounter container is privileged by design.  This Pod causes a PV to be attached to the node and then makes that filesystem available to hpp so that it can use it for dynamic provisioning.