Description: File integrity operator workloads should comply to restricted pod security level Version : 4.11.0-0.nightly-2022-05-11-054135 + compliance-operatorv0.1.51-1 How to reproduce it (as minimally and precisely as possible)? Always. Steps to Reproduce: Install File integrity Operator operator from Operators->OperatorHub, create fileintegrity for test. $ cat test.sh # All workloads creation is audited on masters with below annotation. Below cmd checks all workloads that would violate PodSecurity. cat > cmd.txt << EOF grep -hir 'would violate PodSecurity' /var/log/kube-apiserver/ | jq -r '.requestURI + " " + .annotations."pod-security.kubernetes.io/audit-violations"' EOF CMD="`cat cmd.txt`" oc new-project xxia-test # With admin, run above cmd on all masters: MASTERS=`oc get no | grep master | grep -o '^[^ ]*'` for i in $MASTERS do oc debug -n xxia-test no/$i -- chroot /host bash -c "$CMD || true" done > all-violations.txt cat all-violations.txt | grep -E 'namespaces/(openshift|kube)-' | sort | uniq > all-violations_system_components.txt cat all-violations_system_components.txt In 4.11.0-0.nightly-2022-05-11-054135 env, run above script with admin: ./test.sh Got: /apis/apps/v1/namespaces/openshift-file-integrity/daemonsets/aide-example-fileintegrity would violate PodSecurity "restricted:latest": hostPath volumes (volume "hostroot"), privileged (container "daemon" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "daemon" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "daemon" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "hostroot" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "daemon" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "daemon" must not set runAsUser=0), seccompProfile (pod or container "daemon" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/openshift-file-integrity/daemonsets would violate PodSecurity "restricted:latest": hostPath volumes (volume "hostroot"), privileged (container "daemon" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "daemon" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "daemon" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "hostroot" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "daemon" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "daemon" must not set runAsUser=0), seccompProfile (pod or container "daemon" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/openshift-file-integrity/daemonsets would violate PodSecurity "restricted:latest": hostPath volumes (volume "hostroot"), privileged (container "reinit-script" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "reinit-script", "pause-script" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "reinit-script", "pause-script" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "hostroot" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "reinit-script", "pause-script" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "reinit-script" must not set runAsUser=0), seccompProfile (pod or containers "reinit-script", "pause-script" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/openshift-file-integrity/deployments/file-integrity-operator would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "file-integrity-operator" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "file-integrity-operator" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "file-integrity-operator" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "file-integrity-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/openshift-file-integrity/deployments would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "file-integrity-operator" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "file-integrity-operator" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "file-integrity-operator" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "file-integrity-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /api/v1/namespaces/openshift-file-integrity/pods would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), hostPath volumes (volume "host"), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /api/v1/namespaces/openshift-file-integrity/pods would violate PodSecurity "restricted:latest": hostPath volumes (volume "hostroot"), privileged (container "daemon" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "daemon" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "daemon" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "hostroot" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "daemon" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "daemon" must not set runAsUser=0), seccompProfile (pod or container "daemon" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /api/v1/namespaces/openshift-file-integrity/pods would violate PodSecurity "restricted:latest": hostPath volumes (volume "hostroot"), privileged (container "reinit-script" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "reinit-script", "pause-script" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "reinit-script", "pause-script" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "hostroot" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "reinit-script", "pause-script" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "reinit-script" must not set runAsUser=0), seccompProfile (pod or containers "reinit-script", "pause-script" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Expected results: File integrity operator workload should comply to restricted pod security level Additional info:
Not a blocker anymore because the feature will not be enabled in enforcing mode in 4.11
Partial fix before OLM allows us to set the proper labels: https://github.com/openshift/file-integrity-operator/pull/239 Leaving this ASSIGNED until then, though.
Let's track the OLM label fix (required for 4.12) in https://issues.redhat.com/browse/CMP-1447. Otherwise this bug will be blocked by OLM requirements for awhile. I suggest that with https://github.com/openshift/file-integrity-operator/pull/239 in, we verify that the warnings are squashed when deploying directly from manifest, and resolve this bug.
Moving this to post since the patch in comment #5 landed upstream.
Setting this to ON_QA since we have a build.
verification pass with 4.11.0-rc.3 and file-integrity-operator.v0.1.28. When creating namespace, remember to create namespace with labels: apiVersion: v1 kind: Namespace metadata: name: openshift-file-integrity labels: openshift.io/cluster-monitoring: "true" pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/warn: privileged Tried two scenarios: 1. install file-integrity-operator.v01.1.24 and upgrade to file-integrity-operator.v0.1.28. 2. install file-integrity-operator.v0.1.28 For both scenarios, it won't report "violate PodSecurity" for file integrity operator. $ ./test.sh Now using project "xxia-test" on server "https://api.xiyuan20-1.alicloud-qe.devcluster.openshift.com:6443". You can add applications to this project with the 'new-app' command. For example, try: oc new-app rails-postgresql-example to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application: kubectl create deployment hello-node --image=k8s.gcr.io/e2e-test-images/agnhost:2.33 -- /agnhost serve-hostname Warning: would violate PodSecurity "restricted:v1.24": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Starting pod/xiyuan20-1-s92vw-master-0-debug ... To use host binaries, run `chroot /host` Removing debug pod ... Warning: would violate PodSecurity "restricted:v1.24": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Starting pod/xiyuan20-1-s92vw-master-1-debug ... To use host binaries, run `chroot /host` Removing debug pod ... Warning: would violate PodSecurity "restricted:v1.24": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Starting pod/xiyuan20-1-s92vw-master-2-debug ... To use host binaries, run `chroot /host` Removing debug pod ... /apis/apps/v1/namespaces/openshift-logging/deployments/cluster-logging-operator would violate PodSecurity "restricted:latest": unrestricted capabilities (container "cluster-logging-operator" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "cluster-logging-operator" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "cluster-logging-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/openshift-logging/deployments would violate PodSecurity "restricted:latest": unrestricted capabilities (container "cluster-logging-operator" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "cluster-logging-operator" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "cluster-logging-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/openshift-logging/replicasets would violate PodSecurity "restricted:latest": unrestricted capabilities (container "cluster-logging-operator" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "cluster-logging-operator" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "cluster-logging-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/openshift-operators-redhat/deployments/elasticsearch-operator would violate PodSecurity "restricted:latest": seccompProfile (pod or containers "kube-rbac-proxy", "elasticsearch-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/openshift-operators-redhat/deployments would violate PodSecurity "restricted:latest": seccompProfile (pod or containers "kube-rbac-proxy", "elasticsearch-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/openshift-operators-redhat/replicasets would violate PodSecurity "restricted:latest": seccompProfile (pod or containers "kube-rbac-proxy", "elasticsearch-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift File Integrity Operator bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:5538