Bug 2086450 - aws-load-balancer-controller-cluster pod logged Podsecurity violation error during deployment
Summary: aws-load-balancer-controller-cluster pod logged Podsecurity violation error d...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.11
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.11.0
Assignee: aos-network-edge-staff
QA Contact: Hongan Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-16 07:36 UTC by Hongan Li
Modified: 2022-08-04 21:58 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-08-01 09:32:12 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift aws-load-balancer-operator pull 64 0 None open Bug 2086450: Explicity set the security context for the controller 2022-05-16 10:34:39 UTC
Red Hat Product Errata RHEA-2022:5780 0 None None None 2022-08-01 09:32:14 UTC

Description Hongan Li 2022-05-16 07:36:11 UTC 
Description of problem:
aws-load-balancer-controller-cluster pod logged Podsecurity violation error during deployment as below

1.6526850318382206e+09	INFO	KubeAPIWarningLogger	would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "controller" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "controller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")



OpenShift release version:
4.11.0-0.nightly-2022-05-11-054135

Cluster Platform:
AWS

How reproducible:
100%

Steps to Reproduce (in detail):
1. install aws-load-balancer-operator via OperatorHub
2. create AWSLoadBalancerController resource
3. check the aws-load-balancer-operator pod logs
$ oc -n aws-load-balancer-operator logs aws-load-balancer-operator-controller-manager-9bc7f96b6-kp9gd -c manager


Actual results:
see Podsecurity violation error logs

Expected results:
should not occur

Impact of the problem:


Additional info:
This appears to be due to the PodSecurity feature gate being active by default for v1.23 k8s release and from 4.11 pod security admission level gets set as "restricted" by default. Ref: https://kubernetes.io/docs/concepts/security/pod-security-admission/

see also: https://issues.redhat.com/browse/AUTH-133


** Please do not disregard the report template; filling the template out as much as possible will allow us to help you. Please consider attaching a must-gather archive (via `oc adm must-gather`). Please review must-gather contents for sensitive information before attaching any must-gathers to a bugzilla report.  You may also mark the bug private if you wish.
Comment 1 Miciah Dashiel Butler Masters 2022-05-17 16:47:50 UTC 
This is a blocker because OpenShift 4.11 is going to enforce PodSecurity.
Comment 4 Hongan Li 2022-05-26 09:12:58 UTC 
tested with latest aws-load-balancer-operator-bundle-container-0.0.1-12 and passed.

didn't see "violate PodSecurity" anymore.
Comment 8 errata-xmlrpc 2022-08-01 09:32:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of AWS Load Balancer Operator on OperatorHub), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:5780
Note You need to log in before you can comment on or make changes to this bug.