Description of problem: cdi-deployment logs shows info-level log message related security context issue. Version-Release number of selected component (if applicable): 4.11 How reproducible: 100% Expected results: Security context configuration prevents warning from occurring. Additional info: {"level":"info","ts":1652877234.7262948,"logger":"KubeAPIWarningLogger","msg":"would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"cdi-source-update-poller\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"cdi-source-update-poller\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"cdi-source-update-poller\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"cdi-source-update-poller\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"} {"level":"info","ts":1652877319.456313,"logger":"KubeAPIWarningLogger","msg":"would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (containers \"init\", \"importer\", \"server\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers \"init\", \"importer\", \"server\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or containers \"init\", \"importer\", \"server\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers \"init\", \"importer\", \"server\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"} {"level":"info","ts":1652878329.2959814,"logger":"KubeAPIWarningLogger","msg":"would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"importer\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"importer\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"importer\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"importer\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"}
Alexander, could you please update the bug?
PR that fixes the noted issues posted.
Actually after some more investigation we have many more pods that will likely need the same treatment. And when testing against Open Shift 4.10 we were not allowed to modify the secCompProfile on a pod. So we have one Open Shift requirement that we should modify the secCompProfile to localhost or runtimedefault and at the same time it blocks us from modifying the secCompProfile (which makes sense, because we could potentially set it to unconfined which is not good). So I would like to take a step back and figure out how to properly fix this. Is there a document describing how to properly do these things for Open Shift that I can take a look at?
For 4.11 we did part of the work. It's not a problem to push to 4.12 because our control plane exists in a privileged namespace and our workers (Importers, etc) use their own SA that is associated with a custom SCC.
Test on CNV-4.12.0-628, no security context error appeared in cdi-deployment, issue has been fixed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Virtualization 4.12.0 Images security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:0408