Bug 2223982

Summary: PodSecurity violations messages found in cluster-network-addons-operator and Networking component
Product: Container Native Virtualization (CNV) Reporter: Ahmad <ahafe>
Component: NetworkingAssignee: Petr Horáček <phoracek>
Status: CLOSED DUPLICATE QA Contact: Nir Rozen <nrozen>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.14.0   
Target Milestone: ---   
Target Release: 4.14.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-24 09:03:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ahmad 2023-07-19 13:02:11 UTC 
http://pastebin.test.redhat.com/1105334


Description of problem: In audit log of a freshly deployed 4.14.0 cluster, I see pod security violation messages due to a restricted profile cluster-network-addons-operator -> Networking component :kube-cni-linux-bridge-plugin,, bridge-marker, 

Version-Release number of selected component (if applicable):
4.14.0

How reproducible:
100% 

Steps to Reproduce:
1.deploy CNV
2. Check audit logs of 4.14.0 


Actual results:
Sample entry (http://pastebin.test.redhat.com/1105334):
=============
tests.install_upgrade_operators.pod_security.test_pod_security_audit_log.PodSecurityViolationError: User-agent: cluster-network-addons-operator/v0.0.0 (linux/amd64) kubernetes/$Format, Violations:
	{'kind': 'Event', 'apiVersion': 'audit.k8s.io/v1', 'level': 'Metadata', 'auditID': 'aacdc782-808c-4a97-86bf-dd0ad956fec5', 'stage': 'ResponseComplete', 'requestURI': '/apis/apps/v1/namespaces/openshift-cnv/daemonsets/kube-cni-linux-bridge-plugin', 'verb': 'update', 'user': {'username': 'system:serviceaccount:openshift-cnv:cluster-network-addons-operator', 'uid': '813a213c-e689-460e-bb7f-b6bfa1dc35e9', 'groups': ['system:serviceaccounts', 'system:serviceaccounts:openshift-cnv', 'system:authenticated'], 'extra': {'authentication.kubernetes.io/pod-name': ['cluster-network-addons-operator-58d9cd5fcb-ljswg'], 'authentication.kubernetes.io/pod-uid': ['47714ae1-1883-46e0-add1-c2e91e1c7a3b']}}, 'sourceIPs': ['10.9.96.50'], 'userAgent': 'cluster-network-addons-operator/v0.0.0 (linux/amd64) kubernetes/$Format', 'objectRef': {'resource': 'daemonsets', 'namespace': 'openshift-cnv', 'name': 'kube-cni-linux-bridge-plugin', 'uid': '51f47752-0518-4b52-a6d5-3b3474fc02e8', 'apiGroup': 'apps', 'apiVersion': 'v1', 'resourceVersion': '757730'}, 'responseStatus': {'metadata': {}, 'code': 200}, 'requestReceivedTimestamp': '2023-07-18T08:06:37.217045Z', 'stageTimestamp': '2023-07-18T08:06:37.230942Z', 'annotations': {'authorization.k8s.io/decision': 'allow', 'authorization.k8s.io/reason': 'RBAC: allowed by RoleBinding "kubevirt-hyperconverged-operator.v4.14.0-cluster-net-7dcf5fd9f6/openshift-cnv" of Role "kubevirt-hyperconverged-operator.v4.14.0-cluster-net-7dcf5fd9f6" to ServiceAccount "cluster-network-addons-operator/openshift-cnv"', 'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": privileged (container "cni-plugins" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "cni-plugins" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cni-plugins" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "cnibin" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "cni-plugins" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "cni-plugins" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'}}
=============


Details attached.

Expected results:
No pod security violation message
Comment 1 Petr Horáček 2023-07-24 09:03:07 UTC 
Marking as a duplicate of 2209444

*** This bug has been marked as a duplicate of bug 2209444 ***