Description of problem (please be detailed as possible and provide log snippests): The following message is seen in the OCS operator log file: {"level":"info","ts":1638271388.673401,"logger":"KubeAPIWarningLogger","msg":"would violate \"latest\" version of \"baseline\" PodSecurity profile: host namespaces (hostNetwork=true), hostPath volumes (volume \"ceph-config\"), privileged (container \"rook-ceph-tools\" must not set securityContext.privileged=true)"} Version of all relevant components (if applicable): Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? Is there any workaround available to the best of your knowledge? Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? Can this issue reproducible? Can this issue reproduce from the UI? If this is a regression, please provide more details to justify this: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
I don't immediately see anything that merits attention, on the surface. Given that this is explicitly labeled as a "warning", and thus far there have been no usability bugs in the Rook-Ceph toolbox, it's nothing severe. We might want to consider squashing/fixing this warning in the future, so I won't close it just yet unless someone weighs in and says this is expected behavior. Moving to ODF 4.11.
The toolbox doesn't need to run privileged. Rook's upstream toolbox spec [1] hasn't had the privileged flag since Rook v1.1 [2], which was the basis for OCS 4.3. The security context could be removed entirely from the toolbox pod spec and just use the default context like the upstream pod. The upstream toolbox works fine on openshift with no security context. [1] https://github.com/rook/rook/blob/master/deploy/examples/toolbox.yaml [2] https://github.com/rook/rook/blob/release-1.1/cluster/examples/kubernetes/ceph/toolbox.yaml
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.11.0 security, enhancement, & bugfix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:6156