2091864 – Registry Pod don't have "securityContext.runAsNonRoot=true" config that generated by run bundle

Bug 2091864 - Registry Pod don't have "securityContext.runAsNonRoot=true" config that generated by run bundle

Summary: Registry Pod don't have "securityContext.runAsNonRoot=true" config that gener...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Operator SDK
Sub Component:
Version:	4.11
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.12.0
Assignee:	Rashmi Gottipati
QA Contact:	Fan Jia
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-05-31 08:11 UTC by Fan Jia
Modified:	2023-01-17 19:49 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	* With this update, you can now set the security context for the registry pod by including the `securityContext` configuration field in the pod specification. This will apply the security context for all containers in the pod. The `securityContext` field also defines the pod's privileges. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2091864[BZ#2091864])
Clone Of:
Environment:
Last Closed:	2023-01-17 19:49:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:7399	0	None	None	None	2023-01-17 19:49:50 UTC

Description Fan Jia 2022-05-31 08:11:38 UTC

Description of problem:
Registry pod and job back pod don't have "securityContext.runAsNonRoot=true" config which are generated by "run bundle(bundle-upgrade)". 

Version-Release number of selected component (if applicable):
operator-sdk version: "v1.20.0-ocp", commit: "deb99d5a456fa32c3153de89d940ee05b603c83b", kubernetes version: "v1.23", go version: "go1.17.4", GOOS: "linux", GOARCH: "amd64"


How reproducible:
always

Steps to Reproduce:
1.operator-sdk run bundle quay.io/xxxx/blacklist-bundle:v4.10
2.oc get pods
NAME                                                              READY   STATUS      RESTARTS   AGE
540b848f2d7df023d484f69b046bcabbd16eaa24aca46c66cd48a78c6bnmbqd   0/1     Completed   0          34m
blacklist-controller-manager-76886d597f-zzgh7                     2/2     Running     0          34m
quay-io-xxxx-blacklist-bundle-v4-10                              1/1     Running     0          34m


Actual results:
1. oc get pod quay-io-xxxx-blacklist-bundle-v4-10 -o yaml | grep "securityContext" -A1
        f:securityContext: {}
        f:terminationGracePeriodSeconds: {}
--
  securityContext: {}
  serviceAccount: default

2.$ oc get pod 540b848f2d7df023d484f69b046bcabbd16eaa24aca46c66cd48a78c6bnmbqd -o yaml | grep "securityContext" -A1
  securityContext: {}
  serviceAccount: default

Expected results:
1. oc get pod quay-io-xxxx-blacklist-bundle-v4-10 -o yaml | grep "securityContext" -A1
        f:securityContext: {}
        f:terminationGracePeriodSeconds: {}
--
  securityContext: 
    runAsNonRoot: true
  serviceAccount: default

2.$ oc get pod 540b848f2d7df023d484f69b046bcabbd16eaa24aca46c66cd48a78c6bnmbqd -o yaml | grep "securityContext" -A1
  securityContext: 
    runAsNonRoot: true
  serviceAccount: default


Additional info:

Comment 1 Rashmi Gottipati 2022-06-24 19:24:26 UTC

Hi Jia, 

Is `quay.io/xxxx/blacklist-bundle:v4.10` the actual image that you are seeing this behavior with? Let me know.

Thanks,
Rashmi

Comment 2 Rashmi Gottipati 2022-06-24 19:32:02 UTC

Ah, never mind. I'm able to reproduce this issue.

Comment 3 Rashmi Gottipati 2022-07-06 17:28:49 UTC

Created PR https://github.com/operator-framework/operator-sdk/pull/5931 to fix this bug.

Comment 4 Rashmi Gottipati 2022-07-06 17:29:05 UTC

Created PR https://github.com/operator-framework/operator-sdk/pull/5931 to fix this bug.

Comment 5 Rashmi Gottipati 2022-07-08 16:10:20 UTC

https://github.com/operator-framework/operator-sdk/pull/5931 is merged upstream, so this should add the SecurityContext config to the registry pod configuration.

Comment 7 Fan Jia 2022-07-12 06:20:49 UTC

operator-sdk version: "v1.22.0-21-ge7c9b74e", commit: "e7c9b74e20ab2dd17ab246c8c9e867b8c9b5b079", kubernetes version: "v1.24.1", go version: "go1.18.3", GOOS: "linux", GOARCH: "amd64"

test result:
/apis/apps/v1/namespaces/test123/deployments/blacklist-controller-manager would violate PodSecurity "restricted:v1.24": seccompProfile (pod or containers "kube-rbac-proxy", "manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
/apis/apps/v1/namespaces/test123/deployments would violate PodSecurity "restricted:v1.24": seccompProfile (pod or containers "kube-rbac-proxy", "manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
/apis/apps/v1/namespaces/test123/replicasets would violate PodSecurity "restricted:v1.24": seccompProfile (pod or containers "kube-rbac-proxy", "manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
/apis/batch/v1/namespaces/test123/jobs would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (containers "util", "pull", "extract" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "util", "pull", "extract" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "util", "pull", "extract" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "util", "pull", "extract" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

The registry pod meets the security request. Will add a new bug to trace the other pods' security context problem.

Comment 8 Fan Jia 2022-07-12 07:29:46 UTC

The epic created to track this delivery in 4.12: https://issues.redhat.com/browse/OLM-2600

Comment 9 Rashmi Gottipati 2022-07-12 12:33:12 UTC

Thanks for confirming. As I've mentioned in offline chat, registry pod created by SDK during `run bundle` meets the security requirements and the other pods generated by OLM needs to meet security requirements.

Comment 13 errata-xmlrpc 2023-01-17 19:49:30 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399

Note You need to log in before you can comment on or make changes to this bug.