2086519 – workloads must comply to restricted security policy

Bug 2086519 - workloads must comply to restricted security policy

Summary: workloads must comply to restricted security policy

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	apiserver-auth
Sub Component:
Version:	4.11
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	4.11.0
Assignee:	Standa Laznicka
QA Contact:	Yash Tripathi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-05-16 11:24 UTC by Sergiusz Urbaniak
Modified:	2022-08-10 11:12 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-08-10 11:12:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift apiserver-library-go pull 85	None	Merged	Bug 2086519: scc: set container nonroot=true if the pod/container RunAsUser is non-zero	2022-06-22 13:45:43 UTC
Github	openshift cluster-kube-apiserver-operator pull 1358	None	Merged	Bug 2086519: exempt build controller SA from PodSecurity admission	2022-06-22 13:45:44 UTC
Github	openshift cluster-kube-controller-manager-operator pull 628	None	Merged	Bug 2086519: bindata/../namespace-openshift-infra: label namespace as privileged	2022-05-26 08:33:06 UTC
Github	openshift cluster-openshift-controller-manager-operator pull 240	None	Merged	Bug 2086519: AUTH-133: bindata: comply to restricted pod security level	2022-06-22 13:45:46 UTC
Github	openshift cluster-policy-controller pull 75	None	Merged	Bug 2086519: Introduce Pod Security Admission Label Synchronization controller	2022-06-22 13:45:47 UTC
Github	openshift console-operator pull 652	None	Merged	Bug 2086519: AUTH-133: manifests: comply to restricted pod security	2022-06-22 13:45:49 UTC
Github	openshift kubernetes pull 1268	None	Merged	Bug 2086519: UPSTREAM: <carry>: e2e-framework: don't autosync PodSecurity labels	2022-06-22 13:45:50 UTC
Github	openshift kubernetes pull 1290	None	Merged	Bug 2086519: get SCC admission default securityContext.runAsNonRoot to true on positive UIDs	2022-06-22 13:45:51 UTC
Github	openshift oc pull 1155	None	Merged	Bug 2086519: pkg/cli/debug: suggest pod security labels on violations	2022-06-22 13:45:58 UTC
Github	openshift origin pull 27152	None	Merged	Bug 2086519: Auth-133: test/extended/util: comply exec pod to restricted pod security profile	2022-06-22 13:45:58 UTC
Github	openshift origin pull 27173	None	Merged	Bug 2086519: bump o/kube so that test namespaces aren't PSa label synced	2022-06-22 13:45:56 UTC
Github	openshift origin pull 27177	None	Merged	Bug 2086519: label project-created namespaces to not sync PodSecurity labels	2022-06-22 13:45:55 UTC
Github	openshift origin pull 27257	None	Merged	Bug 2086519: authorization: add a test checking that the restricted-v2 SCC mutates securityContext to match restricted P...	2022-06-23 01:30:19 UTC
Github	openshift origin pull 27269	None	Merged	Bug 2086519: AUTH-133: test/extended/security/scc: comply to pod security admission	2022-06-23 11:07:10 UTC
Red Hat Product Errata	RHSA-2022:5069	None	None	None	2022-08-10 11:12:15 UTC

Description Sergiusz Urbaniak 2022-05-16 11:24:40 UTC

Starting from OpenShift 4.11 pod security admission is being activated. In OpenShift the default pod security admission level is going to be restricted.

Currently, some workloads do not yet comply to this. This tracks changes done by the Auth team.

Comment 13 Yash Tripathi 2022-06-24 14:03:33 UTC

Verified in 4.11.0-0.nightly-2022-06-23-153912

Testing https://github.com/openshift/apiserver-library-go/pull/85

1. $ oc create -f -<<EOF
apiVersion: v1
kind: Pod
metadata:
  name: testpod
spec:
  containers:
  - image: quay.io/openshifttest/hello-openshift:openshift
    name: node-hello
    securityContext:
      runAsUser: 100
      capabilities:
        drop: ["ALL"]
      seccompProfile:
        type: "RuntimeDefault"
      allowPrivilegeEscalation: false
EOF

2. $ oc get pod/testpod -o yaml
...
securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      runAsNonRoot: true
      runAsUser: 100
      seccompProfile:
        type: RuntimeDefault
...
Expected:       runAsNonRoot: true
Actual:       runAsNonRoot: true

Verified
-----------
Testing https://github.com/openshift/cluster-kube-apiserver-operator/pull/1358

$ oc extract cm/config -n openshift-kube-apiserver --confirm --to=- | jq '' - | jq '.admission.pluginConfig.PodSecurity.configuration.exemptions'
Output:
{
  "usernames": [
    "system:serviceaccount:openshift-infra:build-controller"
  ]
}

Expected: system:serviceaccount:openshift-infra:build-controller
https://github.com/stlaz/cluster-kube-apiserver-operator/blob/aab0cba685e69889087e776e417a96137ab7cef5/bindata/assets/config/defaultconfig.yaml#L31
Actual: system:serviceaccount:openshift-infra:build-controller

Verified
-----------
Testing https://github.com/openshift/oc/pull/1155

1. $ oc edit kubeapiserver cluster
update unsupportedConfigOverrides to
...
  unsupportedConfigOverrides:
    admission:
      pluginConfig:
        PodSecurity:
          configuration:
            apiVersion: pod-security.admission.config.k8s.io/v1beta1
            defaults:
              audit: restricted
              audit-version: latest
              enforce: restricted
              enforce-version: latest
              warn: restricted
              warn-version: latest
            exemptions:
              usernames:
              - system:serviceaccount:openshift-infra:build-controller
            kind: PodSecurityConfiguration
...

2. Wait for all OKAS pods to rotate ( check revision)
$ oc get po -n openshift-kube-apiserver -L revision -l apiserver -w
NAME                                                         READY   STATUS    RESTARTS   AGE     REVISION
kube-apiserver-ip-10-0-128-204.ap-south-1.compute.internal   5/5     Running   0          6m      14
kube-apiserver-ip-10-0-184-69.ap-south-1.compute.internal    5/5     Running   0          9m48s   14
kube-apiserver-ip-10-0-205-172.ap-south-1.compute.internal   5/5     Running   0          2m2s    14

3. $ oc debug node/ip-10-0-149-137.ap-south-1.compute.internal
error: PodSecurity violation error:
Ensure the target namespace has the appropriate security level set or consider creating a dedicated privileged namespace using:
        "oc create ns <namespace> -o yaml | oc label -f - pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged".

Original error:
pods "ip-10-0-149-137ap-south-1computeinternal-debug" is forbidden: violates PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Actual error is according to format:
		err = fmt.Errorf("PodSecurity violation error:\n"+
			"Ensure the target namespace has the appropriate security level set "+
			"or consider creating a dedicated privileged namespace using:\n"+
			"\t\"oc create ns <namespace> -o yaml | oc label -f - pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged\".\n\nOriginal error:\n%w", err)
	}

oc adm must-gather has some issue, will file a non-blocker bug later

Verified

Comment 14 errata-xmlrpc 2022-08-10 11:12:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069

Note You need to log in before you can comment on or make changes to this bug.