Bug 2141669

Summary: [4.11] [pod security violation audit] Audit violation in "cdi-source-update-poller" container should be fixed
Product: Container Native Virtualization (CNV) Reporter: Maya Rashish <mrashish>
Component: StorageAssignee: Michael Henriksen <mhenriks>
Status: CLOSED WONTFIX QA Contact: Yan Du <yadu>
Severity: medium Docs Contact:
Priority: high    
Version: 4.11.1CC: alitke, cnv-qe-bugs, kmajcher, mhenriks, mrashish, sasundar, stirabos, yadu
Target Milestone: ---   
Target Release: 4.11.3   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2133660 Environment:
Last Closed: 2022-12-07 17:19:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2133660    
Bug Blocks: 2089744    

Description Maya Rashish 2022-11-10 12:21:04 UTC 
+++ This bug was initially created as a clone of Bug #2133660 +++

Description of problem:
-----------------------
Test run[1] that looks for 'pod security violation entries' in audit logs,against 4.11.1-20, found few audit violation.

[1] - https://main-jenkins-csb-cnvqe.apps.ocp-c1.prod.psi.redhat.com/view/cnv-tests%20runner/job/cnv-tests-runner/4297/consoleFull.

This bug is to fix violation in 'cdi-source-update-poller' container.

<snip>
'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "cdi-source-update-poller" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cdi-source-update-poller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "cdi-source-update-poller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "cdi-source-update-poller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'}}
</snip>

Version-Release number of selected component (if applicable):
-------------------------------------------------------------
4.11.1-20

How reproducible:
-----------------
Always

Expected results:
-----------------
No audit-violation to be found

--- Additional comment from Maya Rashish on 2022-11-09 07:57:37 UTC ---

This has been fixed in 4.12 for long enough that it's hard to find the exact version where it was fixed.
Listing some recent version of CNV.

Note this required some downstream follow up-
https://gitlab.cee.redhat.com/cpaas-midstream/openshift-virtualization/containerized-data-importer/-/merge_requests/235/diffs?commit_id=4fb52f90c66ebd7767dd99bb47e73f5c62c08236

--- Additional comment from Yan Du on 2022-11-10 08:43:46 UTC ---

Test on CNV v4.12.0-628, no cdi-source-update-poller container 'pod security violation' error in audit logs.

@Maya, since it is fixed on 4.12, do we have plan to backport to 4.11?