Bug 2027724 - Warning log for rook-ceph-toolbox in ocs-operator log
Summary: Warning log for rook-ceph-toolbox in ocs-operator log
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenShift Data Foundation
Classification: Red Hat Storage
Component: ocs-operator
Version: 4.10
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ODF 4.11.0
Assignee: Malay Kumar parida
QA Contact: Aviad Polak
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-30 13:54 UTC by N Balachandran
Modified: 2023-08-09 17:00 UTC (History)
8 users (show)

Fixed In Version: 4.11.0-89
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-08-24 13:48:26 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github red-hat-storage ocs-operator pull 1693 0 None open Bug 2027724: [release-4.11] Update newToolsDeployment according to upstream rook toolbox spec 2022-05-30 12:56:10 UTC
Red Hat Product Errata RHSA-2022:6156 0 None None None 2022-08-24 13:49:38 UTC

Description N Balachandran 2021-11-30 13:54:08 UTC 
Description of problem (please be detailed as possible and provide log
snippests):

The following message is seen in the OCS operator log file:

{"level":"info","ts":1638271388.673401,"logger":"KubeAPIWarningLogger","msg":"would violate \"latest\" version of \"baseline\" PodSecurity profile: host namespaces (hostNetwork=true), hostPath volumes (volume \"ceph-config\"), privileged (container \"rook-ceph-tools\" must not set securityContext.privileged=true)"}

Version of all relevant components (if applicable):


Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?


Is there any workaround available to the best of your knowledge?


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?


Can this issue reproducible?


Can this issue reproduce from the UI?


If this is a regression, please provide more details to justify this:


Steps to Reproduce:
1.
2.
3.


Actual results:


Expected results:


Additional info:
Comment 2 Jose A. Rivera 2022-02-07 16:29:58 UTC 
I don't immediately see anything that merits attention, on the surface. Given that this is explicitly labeled as a "warning", and thus far there have been no usability bugs in the Rook-Ceph toolbox, it's nothing severe. We might want to consider squashing/fixing this warning in the future, so I won't close it just yet unless someone weighs in and says this is expected behavior. Moving to ODF 4.11.
Comment 3 Travis Nielsen 2022-05-16 19:48:40 UTC 
The toolbox doesn't need to run privileged. Rook's upstream toolbox spec [1] hasn't had the privileged flag since Rook v1.1 [2], which was the basis for OCS 4.3. The security context could be removed entirely from the toolbox pod spec and just use the default context like the upstream pod. The upstream toolbox works fine on openshift with no security context.

[1] https://github.com/rook/rook/blob/master/deploy/examples/toolbox.yaml
[2] https://github.com/rook/rook/blob/release-1.1/cluster/examples/kubernetes/ceph/toolbox.yaml
Comment 10 errata-xmlrpc 2022-08-24 13:48:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.11.0 security, enhancement, & bugfix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:6156
Note You need to log in before you can comment on or make changes to this bug.