2088129 – [SSP] webhook does not comply with restricted security context

Bug 2088129 - [SSP] webhook does not comply with restricted security context

Summary: [SSP] webhook does not comply with restricted security context

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	Infrastructure
Sub Component:
Version:	4.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	4.11.0
Assignee:	Karel Šimon
QA Contact:	Sarah Bennert
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-05-18 18:44 UTC by Sarah Bennert
Modified:	2022-10-10 14:22 UTC (History)
CC List:	2 users (show)
Fixed In Version:	kubevirt-ssp-operator v4.11.0-40
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-10-10 14:22:42 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	kubevirt ssp-operator pull 358	0	None	open	fix security constraint for spp and validator containers	2022-05-19 11:45:04 UTC
Github	kubevirt ssp-operator pull 364	0	None	Merged	[release-v0.15] fix security constraint for spp and validator containers	2022-05-25 10:49:04 UTC

Description Sarah Bennert 2022-05-18 18:44:46 UTC

Description of problem:

SSP operator pod log shows info-level log message related to webhook security context.

{"level":"info","ts":1652662485.0856197,"logger":"KubeAPIWarningLogger","msg":"would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"webhook\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"webhook\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"webhook\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"webhook\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"}


Version-Release number of selected component (if applicable):
4.11

How reproducible:
100%

Expected results:

1. Security context configuration prevents warning from occurring. 
2. Increased log level for KubeAPIWarningLogger messages

Comment 2 Sarah Bennert 2022-06-19 17:12:49 UTC

Verified.

SSP operator pod has valid security context

Bundle v4.11.0-494

Comment 4 Dominik Holler 2022-10-10 14:22:42 UTC

Released as part of 4.11.0

Note You need to log in before you can comment on or make changes to this bug.