Bug 2217783
| Summary: | Project "openshift-storage" which is default for the ODF is actually not Excluded from the PSA. | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat OpenShift Data Foundation | Reporter: | sakshi <sasakshi> |
| Component: | odf-operator | Assignee: | Nitin Goyal <nigoyal> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Elad <ebenahar> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.12 | CC: | jansingh, jiazha, mparida, muagarwa, nigoyal, odf-bz-bot, sarora, skatiyar, vwalek |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-08-08 08:32:38 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi Team, Any further update on this. Hi Nitin, Based on the Slack discussion link shared above,it seems PSA is turned on for 4.12 now and there is Jira ticket related to this. https://issues.redhat.com/browse/OCPBUGS-15737 Kindly reconfirm Closing it as it is fixed in the OCP. pls refer the comment 8 |
Description: The project "openshift-storage" which is the default for the ODF is actually not Excluded from the PSA. The project is missing the labels and it is not excluded from the pod security admission plugin which means that the violations still will be reported. Errors: ~~~ zgrep -h pod-security.kubernetes.io/audit-violations must-gather.local.3394783972512996655/quay*/audit_logs/kube-apiserver/*log.gz | jq -r 'select(.annotations["pod-security.kubernetes.io/audit-violations"] != null) | (.objectRef | .namespace + " " + .name + " " + .resource) + " " + .annotations["pod-security.kubernetes.io/audit-violations"]' | sort | uniq -c 2 openshift-ops sscc-chmmas-a01ointssc-campusnl-debug pods would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") 1189 openshift-storage noobaa-endpoint deployments would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "endpoint" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "endpoint" must set securityContext.capabilities.drop=["ALL"]; container "endpoint" must not include "SETGID", "SETUID" in securityContext.capabilities.add), runAsNonRoot != true (pod or container "endpoint" must set securityContext.runAsNonRoot=true), runAsUser=0 (pod must not set runAsUser=0), seccompProfile (pod or container "endpoint" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") 1 openshift-storage rook-ceph-crashcollector-sscc-chmsto-a01o.int.ssc-campus.nl deployments would violate PodSecurity "restricted:latest": privileged (containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "rook-ceph-log", "rook-ceph-crash" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") 1 openshift-storage rook-ceph-crashcollector-sscc-chmsto-a02o.int.ssc-campus.nl deployments would violate PodSecurity "restricted:latest": privileged (containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "rook-ceph-log", "rook-ceph-crash" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") 1 openshift-storage rook-ceph-crashcollector-sscc-chmsto-a03o.int.ssc-campus.nl deployments would violate PodSecurity "restricted:latest": privileged (containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "rook-ceph-log", "rook-ceph-crash" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") ~~~ Fix: To label the project openshift-storage with the following labels: ~~~ "openshift.io/run-level": "0", "pod-security.kubernetes.io/audit": "privileged", "pod-security.kubernetes.io/enforce": "privileged", "pod-security.kubernetes.io/warn": "privileged" ~~~