Bug 2133659

Summary: [pod security violation audit] Audit violation in "cdi-controller" container should be fixed
Product: Container Native Virtualization (CNV) Reporter: SATHEESARAN <sasundar>
Component: StorageAssignee: Michael Henriksen <mhenriks>
Status: CLOSED ERRATA QA Contact: Natalie Gavrielov <ngavrilo>
Severity: medium Docs Contact:
Priority: high    
Version: 4.11.1CC: alitke, kmajcher, mrashish, stirabos, yadu
Target Milestone: ---   
Target Release: 4.12.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: CNV v4.12.0-680 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2141671 (view as bug list) Environment:
Last Closed: 2023-01-24 13:41:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2089744, 2141671    

Description SATHEESARAN 2022-10-11 05:47:07 UTC 
Description of problem:
-----------------------
Test run[1] that looks for 'pod security violation entries' in audit logs,against 4.11.1-20, found few audit violation.

[1] - https://main-jenkins-csb-cnvqe.apps.ocp-c1.prod.psi.redhat.com/view/cnv-tests%20runner/job/cnv-tests-runner/4297/consoleFull.

This bug is to fix violation in 'cdi-controller' container.

<snip>
'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "cdi-controller" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cdi-controller" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "cdi-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")',
</snip>

Version-Release number of selected component (if applicable):
-------------------------------------------------------------
4.11.1-20

How reproducible:
-----------------
Always

Expected results:
-----------------
No audit-violation to be found
Comment 1 Maya Rashish 2022-11-09 07:57:40 UTC 
This has been fixed in 4.12 for long enough that it's hard to find the exact version where it was fixed.
Listing some recent version of CNV.

Note this required some downstream follow up-
https://gitlab.cee.redhat.com/cpaas-midstream/openshift-virtualization/containerized-data-importer/-/merge_requests/235/diffs?commit_id=4fb52f90c66ebd7767dd99bb47e73f5c62c08236
Comment 2 Yan Du 2022-11-14 08:54:40 UTC 
Test on CNV v4.12.0-682, no cdi-controller container 'pod security violation' error in audit logs.
Comment 6 errata-xmlrpc 2023-01-24 13:41:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Virtualization 4.12.0 Images security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:0408