Bug 2139099
| Summary: | `PodSecurityViolation` alert is triggerring for openshift-storage pods. | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat OpenShift Data Foundation | Reporter: | Rahul Rajendran <rpalathi> |
| Component: | odf-operator | Assignee: | Nitin Goyal <nigoyal> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Martin Bukatovic <mbukatov> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.11 | CC: | hnallurv, jrivera, muagarwa, ocs-bugs, odf-bz-bot |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-01 13:45:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is expected with OCP 4.11, the issue has been fixed in OCP 4.12 |
Description of problem (please be detailed as possible and provide log snippests): The alert `PodSecurityViolation` is triggering for Openshift-Storage pods. Alert definition is: ~~~ openshift-kube-apiserver-podsecurity-951cc1a0-6193-44ff-901c-c3e0873f0145.yaml: | groups: - name: pod-security-violation rules: - alert: PodSecurityViolation annotations: description: A workload (pod, deployment, deamonset, ...) was created somewhere in the cluster but it did not match the PodSecurity "{{ $labels.policy_level }}" profile defined by its namespace either via the cluster-wide configuration (which triggers on a "restricted" profile violations) or by the namespace local Pod Security labels. Refer to Kubernetes documentation on Pod Security Admission to learn more about these violations. summary: One or more workloads users created in the cluster don't match their Pod Security profile expr: | sum(increase(pod_security_evaluations_total{decision="deny",mode="audit",resource="pod"}[1d])) by (policy_level) > 0 labels: namespace: openshift-kube-apiserver severity: info ~~~ The pods are identified after following the [KCS|https://access.redhat.com/solutions/6976583]. ~~~ openshift-storage ceph-file-controller-detect-version jobs openshift-storage ceph-object-controller-detect-version jobs openshift-storage csi-addons-controller-manager deployments openshift-storage csi-cephfsplugin daemonsets openshift-storage csi-cephfsplugin-provisioner deployments openshift-storage csi-rbdplugin daemonsets openshift-storage csi-rbdplugin-provisioner deployments openshift-storage noobaa-db-pg-0 pods openshift-storage noobaa-endpoint deployments openshift-storage noobaa-operator deployments openshift-storage ocs-metrics-exporter deployments openshift-storage ocs-operator deployments openshift-storage odf-console deployments openshift-storage odf-operator-controller-manager deployments openshift-storage pods openshift-storage rook-ceph-crashcollector-uslpreprod1-br7h4-storage-6cw54-589df669cc replicasets openshift-storage rook-ceph-crashcollector-uslpreprod1-br7h4-storage-6cw54 deployments openshift-storage rook-ceph-crashcollector-uslpreprod1-br7h4-storage-kk7n2-5f6b486fb7 replicasets openshift-storage rook-ceph-crashcollector-uslpreprod1-br7h4-storage-kk7n2-7689f7cffc replicasets openshift-storage rook-ceph-crashcollector-uslpreprod1-br7h4-storage-kk7n2 deployments openshift-storage rook-ceph-crashcollector-uslpreprod1-br7h4-storage-qsbdh-66666b654 replicasets openshift-storage rook-ceph-crashcollector-uslpreprod1-br7h4-storage-qsbdh-86769545d8 replicasets openshift-storage rook-ceph-crashcollector-uslpreprod1-br7h4-storage-qsbdh deployments openshift-storage rook-ceph-detect-version jobs openshift-storage rook-ceph-mds-ocs-storagecluster-cephfilesystem-a deployments openshift-storage rook-ceph-mds-ocs-storagecluster-cephfilesystem-b deployments openshift-storage rook-ceph-mgr-a deployments openshift-storage rook-ceph-mon-a deployments openshift-storage rook-ceph-mon-b deployments openshift-storage rook-ceph-mon-c deployments openshift-storage rook-ceph-operator deployments openshift-storage rook-ceph-rgw-ocs-storagecluster-cephobjectstore-a deployments openshift-storage rook-ceph-tools deployments ~~~ The operators version in the namespace are: ~~~ # oc get csv -n openshift-storage NAME DISPLAY VERSION REPLACES PHASE elasticsearch-operator.5.5.2 OpenShift Elasticsearch Operator 5.5.2 elasticsearch-operator.5.5.1 Succeeded mcg-operator.v4.11.1 NooBaa Operator 4.11.1 mcg-operator.v4.11.0 Succeeded ocs-operator.v4.11.1 OpenShift Container Storage 4.11.1 ocs-operator.v4.11.0 Succeeded odf-csi-addons-operator.v4.11.1 CSI Addons 4.11.1 odf-csi-addons-operator.v4.11.0 Succeeded odf-operator.v4.11.1 OpenShift Data Foundation 4.11.1 odf-operator.v4.11.0 Succeeded ~~~ Version of all relevant components (if applicable): v4.11.1 Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? Is there any workaround available to the best of your knowledge? No Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? Can this issue be reproducible? Yes Can this issue reproduce from the UI? If this is a regression, please provide more details to justify this: Steps to Reproduce: 1. 2. 3. Actual results: The alert points that the Openshift-storage pods are not following the pod security profile. Expected results: Openshift-Storage pods should be following the pod security profile. Additional info: