Description of problem (please be detailed as possible and provide log snippets): While collecting must-gather logs in ODF 4.11, the following warning messages were observed: [must-gather ] OUT namespace/openshift-must-gather-nlbwn created [must-gather ] OUT clusterrolebinding.rbac.authorization.k8s.io/must-gather-xb52x created W0525 10:34:03.298062 19288 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "gather", "copy" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "gather", "copy" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "gather", "copy" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "gather", "copy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") [must-gather ] OUT pod for plug-in image quay.io/rhceph-dev/ocs-must-gather:latest-4.11 created [must-gather-x29j4] POD 2022-05-25T05:04:12.733108553Z checking for existing must-gather resource [must-gather-x29j4] POD 2022-05-25T05:04:12.882037913Z No resources found in openshift-storage namespace. [must-gather-x29j4] POD 2022-05-25T05:04:13.029879181Z creating helper pod [must-gather-x29j4] POD 2022-05-25T05:04:15.677545241Z W0525 05:04:15.677358 72 warnings.go:70] would violate PodSecurity "restricted:latest": hostPath volumes (volumes "dev", "sysbus", "libmodules"), privileged (container "must-gather-helper" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "must-gather-helper" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "must-gather-helper" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "dev", "sysbus", "libmodules" use restricted volume type "hostPath"), seccompProfile (pod or container "must-gather-helper" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") [must-gather-x29j4] POD 2022-05-25T05:04:15.678078701Z pod/must-gather-x29j4-helper created Version of all relevant components (if applicable): --------------------------------------------------- OCP: 4.11.0-0.nightly-2022-05-20-213928 ODF: odf-operator.v4.11.0 full_version=4.11.0-78 Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? No Is there any workaround available to the best of your knowledge? No Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? 1 Can this issue reproducible? Yes Can this issue reproduce from the UI? If this is a regression, please provide more details to justify this: Steps to Reproduce: ------------------- 1. Run must-gather to collect ODF logs: # oc adm must-gather --image=quay.io/rhceph-dev/ocs-must-gather:latest-4.11 Actual results: --------------- Warning messages for PodSecurity violations observed Expected results: ----------------- No such warnings expected
Yes, I think we need to fix this for 4.11.0, I will let Orit confirm it.
(In reply to Madhu Rajanna from comment #3) > Yes, I think we need to fix this for 4.11.0, I will let Orit confirm it. Correct. We will need to consider a backport to 4.10.x as we support ODF 4.10 on OCP 4.11
This is delayed till OCP 4.12 hence the fix should go in 4.11 z-stream before OCP 4.12 is released. Also, IMO must-gather is not the correct component for this BZ. We need fix in every operator which is affected.
This is not a must-gather issue, we already have a BZs for different operators for the same issue. e.g. https://bugzilla.redhat.com/show_bug.cgi?id=2124593