Bug 2140406

Summary: [4.11][pod security violation audit] Audit violation in "hostpath-provisioner-operator" container should be fixed
Product: Container Native Virtualization (CNV) Reporter: Jenia Peimer <jpeimer>
Component: StorageAssignee: Alexander Wels <awels>
Status: CLOSED WONTFIX QA Contact: Jenia Peimer <jpeimer>
Severity: medium Docs Contact:
Priority: high    
Version: 4.11.1CC: alitke, awels, cnv-qe-bugs, kmajcher, mrashish, sasundar, stirabos, yadu
Target Milestone: ---   
Target Release: 4.11.2   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: CNV v4.11.2-2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2133656 Environment:
Last Closed: 2022-12-08 15:39:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2133656    
Bug Blocks: 2089744    

Description Jenia Peimer 2022-11-06 13:57:06 UTC 
+++ This bug was initially created as a clone of Bug #2133656 +++

Description of problem:
-----------------------
Test run[1] that looks for 'pod security violation entries' in audit logs,against 4.11.1-20, found few audit violation.

[1] - https://main-jenkins-csb-cnvqe.apps.ocp-c1.prod.psi.redhat.com/view/cnv-tests%20runner/job/cnv-tests-runner/4297/consoleFull.

This bug is to fix violation in 'hostpath-provisioner-operator' container.

<snip>
'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "hostpath-provisioner-operator" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "hostpath-provisioner-operator" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "hostpath-provisioner-operator" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "hostpath-provisioner-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'}}
</snip>

Version-Release number of selected component (if applicable):
-------------------------------------------------------------
4.11.1-20

How reproducible:
-----------------
Always

Expected results:
-----------------
No audit-violation to be found
Comment 1 Jenia Peimer 2022-11-06 14:05:13 UTC 
PR was backported and merged U/S to 4.11, but since 4.11.1 is not released yet, there's no 4.11.2 D/S build at the moment.
Comment 2 Maya Rashish 2022-12-05 18:21:09 UTC 
Backported the Dockerfile midstream change (unclear if it's still needed)
Comment 3 Maya Rashish 2022-12-08 15:39:15 UTC 
Reverted this change. A similar change to CDI caused smoke test breakage, so I reverted both as a precaution.
We've decided not to include these changes in 4.11, PSA was delayed one more version.